About the Authors
Dan Holme
A graduate of Yale University and Thunderbird, the American Graduate School of Inter-
national Management, Dan has spent 10 years as a consultant and trainer, delivering
solutions to tens of thousands of IT professionals from the most prestigious organiza-
tions and corporations around the world. His clients have included AT&T, Johnson &
Johnson, HP, Boeing, Home Depot, and Intel, and he has recently been involved in
supporting the design and implementation of Active Directory at several enterprises,
including Raytheon, NBC 10 Olympics, and General Electric. Dan is the Director of
Training & Consulting for Intelliem, which specializes in boosting the productivity of IT
professionals and users by creating advanced, customized solutions that integrate cli-
ents’ specific design and configuration into productivity-focused training and knowl-
edge management services (info@intelliem.com). From his base in sunny Arizona, Dan
travels to client sites around the world and then unwinds on his favorite mode of trans-
portation—his snowboard. It takes a village to raise a happy geek, and Dan sends
undying thanks and love to those without whom sanity would be out of reach: Lyman,
Barb & Dick, Bob & Joni, Stan & Marylyn & Sondra, the Friels, Mark & Derrick, Ken &
Craig, Curt & James, and Maddie. And an extra thanks from “Danny Dash” to Craig,
Antonio, Art, and all the Mikes of Torino for a medal-winning experience!
Orin Thomas
Orin is a writer, speaker, trainer, and systems administrator who works for the certifi-
cation advice Web site Certtutor.net. His work in IT has been varied: He’s done every-
thing from providing first-level networking support to acting as systems administrator
for one of Australia’s largest companies. He founded the Melbourne Infrastructure
Administrators group, writes regularly for Windows IT Pro magazine, and has co-
authored several books for Microsoft Press. He holds a variety of certifications and a
bachelor’s degree in science with honors from the University of Melbourne. Orin
would like to thank his beautiful wife Oksana and awesome son Rooslan for their con-
stant unconditional love and support. He’d also like to thank Karen Szall, Maria
Gargiulo, Ken Jones, Dan Holme, and the rest of the team at Microsoft for their help in
getting this second edition of the 70-290 training kit out the door.
About This Book
Welcome to MCSA/MCSE Self− Paced Training Kit (Exam 70− 290): Managing and Main−
taining a Microsoft Windows Server 2003 Environment, Second Edition. We have
designed this book to prepare you effectively for the MCSE examination and, along the
way, to share with you knowledge about what it takes to implement Windows Server
2003 in your enterprise network. We hope that by helping you understand the under-
lying technologies, the variety of options for configuring feature sets, and the complex
interaction among components, you are better equipped to tackle the challenges that
you face in the information technology (IT) trenches. We also hope to serve the com-
munity at large—to elevate the worth of the MCSE moniker—so that behind each cer-
tification is a knowledgeable, experienced, capable professional.
Intended Audience
This book was developed for IT professionals who plan to take the related Microsoft
Certified Professional (MCP) exam 70-290, Managing and Maintaining a Microsoft
Windows Server 2003 Environment, as well as for IT professionals who administer
computers running Microsoft Windows Server 2003.
Note Exam skills are subject to change without prior notice and at the sole discretion of
Microsoft.
Prerequisites
This training kit requires that students meet the following prerequisites:
■ A minimum of 12 to 18 months of experience administering Windows technolo-
gies in a network environment
■ An understanding of Microsoft Active Directory directory service and related tech-
nologies, including Group Policy
About the CD-ROM
For your use, this book includes a companion CD-ROM, which contains a variety of
informational aids to complement the book content:
■ The Microsoft Press Readiness Review Suite Powered by MeasureUp. This suite of
practice tests and objective reviews contains questions of varying degrees of
xxv
xxvi About This Book
complexity and offers multiple testing modes. You can assess your understanding
of the concepts presented in this book and use the results to develop a learning
plan that meets your needs.
■ An electronic version of this book (eBook). For information about using the
eBook, see the section, “The eBook,” later in this introduction.
■ An eBook of Microsoft Windows Scripting Self−Paced Learning Guide by Ed Wilson.
■ Sample chapters from several Microsoft Press books give you additional informa-
tion about Windows Server 2003 and introduce you to other resources that are
available from Microsoft Press.
■ An overview of Windows Server 2003 Service Pack 1 and Windows Server 2003 R2.
■ Documents about Windows x64 and 64-bit computing with Windows Server 2003.
■ Bonus material covering Software Update Services (SUS) and using VBScript to
automate user and group administration.
■ A free demo: “Answering Simulation Questions.”
■ Sample chapters from several Microsoft Press books that give you additional infor-
mation about Windows Server 2003 and introduce you to other resources that are
available from Microsoft Press.
■ Links to free e-Learning courses and clinics.
Two additional CD-ROMs contain a 180-day Evaluation Edition of Windows Server
2003 with SP1 and R2, Enterprise Edition. You will use SP1 to complete this training kit.
R2 is for you reference only; do not install R2 until you have completed the training kit
exercises.
Note The 180-day Evaluation Edition provided with this training kit is not the full retail prod-
uct and is provided only for the purposes of training and evaluation. Microsoft Technical Sup-
port does not support this evaluation edition.
For additional support information regarding this book and the CD-ROM (including
answers to commonly asked questions about installation and use), visit the Microsoft
Press Technical Support Web site at http://www.microsoft.com/mspress/support/. You
can also e-mail tkinput@microsoft.com or send a letter to Microsoft Press, Attention:
Microsoft Press Technical Support, One Microsoft Way, Redmond, WA 98052-6399.
About This Book xxvii
Features of This Book
This book has two parts. Use Part 1 to learn at your own pace and practice what you’ve
learned with practical exercises. Part 2 contains questions and answers that you can
use to test yourself on what you’ve learned.
Part 1: Learn at Your Own Pace
Each chapter identifies the exam objectives that are covered in the chapter, provides an
overview of why the topics matter by identifying how the information applies in the
real world, and lists any prerequisites that must be met to complete the lessons pre-
sented in the chapter.
The chapters contain a set of lessons. Lessons contain practices that include one or
more hands-on exercises. These exercises give you an opportunity to use the skills
being presented or explore the part of the application being described. Each lesson
also has a set of review questions to test your knowledge of the material covered in
that lesson. The answers to the questions are found in the “Questions and Answers”
section at the end of each chapter.
After the lessons, you are given an opportunity to apply what you’ve learned in a case-
scenario exercise. In this exercise, you work through a multistep solution for a realistic
case scenario. You are also given an opportunity to work through a troubleshooting lab
that explores difficulties you might encounter when applying what you’ve learned on
the job.
Each chapter ends with a summary of key concepts and a short section listing key top-
ics and terms that you need to know before taking the exam, summarizing the key
points with a focus on the exam.
Real World Helpful Information
You will find sidebars like this one that contain related information you might
find helpful. “Real World” sidebars contain specific information gained through
the experience of IT professionals just like you.
Part 2: Prepare for the Exam
Part 2 helps to familiarize you with the types of questions that you will encounter on
the MCP exam. By reviewing the objectives and the sample questions, you can focus
on the specific skills that you need to improve before taking the exam.
xxviii About This Book
See Also For a complete list of Microsoft cerification exams and their related objectives,
go to http://www.microsoft.com/learning/mcp/default.asp.
Part 2 is organized by the exam’s objectives. Each chapter covers one of the primary
groups of objectives, called Objective Domains. Each chapter lists the tested skills you
must master to answer the exam questions and includes a list of further readings to
help you improve your ability to perform the tasks or skills specified by the objectives.
Within each Objective Domain, you will find the related objectives that are covered on
the exam. Each objective provides you with several practice exam questions. The
answers are accompanied by explanations of each correct and incorrect answer.
On the CD These questions are also available on the companion CD as a practice test.
Informational Notes
Several types of reader aids appear throughout the training kit:
■ Tip contains methods of performing a task more quickly or in a not-so-obvious
way.
■ Important contains information that is essential to completing a task.
■ Note contains supplemental information.
■ Caution contains valuable information about possible loss of data; be sure to read
this information carefully.
■ Warning contains critical information about possible physical injury; be sure to
read this information carefully.
■ See Also contains references to other sources of information.
■ Planning contains hints and useful information that should help you to plan the
implementation.
■ Security Alert highlights information you need to know to maximize security in
your work environment.
■ Exam Tip flags information you should know before taking the certification
exam.
■ Off the Record contains practical advice about the real-world implications of
information presented in the lesson.
About This Book xxix
Notational Conventions
The following conventions are used throughout this book.
■ Characters or commands that you type appear in bold type.
■ Italic in syntax statements indicates placeholders for variable information. Italic is
also used for book titles.
■ Names of files and folders appear in Title caps, except when you are to type them
directly. Unless otherwise indicated, you can use all lowercase letters when you
type a file name in a dialog box or at a command prompt.
■ File name extensions appear in all lowercase.
■ Acronyms appear in all uppercase.
■ Monospace type represents code samples, examples of screen text, or entries that
you might type at a command prompt or in initialization files.
■ Square brackets [ ] are used in syntax statements to enclose optional items. For
example, [filename] in command syntax indicates that you can choose to type a
file name with the command. Type only the information within the brackets, not
the brackets themselves.
■ Braces { } are used in syntax statements to enclose required items. Type only the
information within the braces, not the braces themselves.
Keyboard Conventions
■ A plus sign (+) between two key names means that you must press those keys at
the same time. For example, “Press ALT+TAB” means that you hold down ALT while
you press TAB.
■ A comma ( , ) between two or more key names means that you must press each
of the keys consecutively, not together. For example, “Press ALT, F, X” means that
you press and release each key in sequence. “Press ALT+W, L” means that you first
press ALT and W at the same time and then release them and press L.
Getting Started
This training kit contains hands-on exercises to help you learn about implementing,
supporting, and troubleshooting Windows Server 2003 technologies. Use this section to
prepare your self-paced training environment. You can complete most of the exercises
on a single test computer in a lab environment. Several optional exercises require a
second computer running Windows Server 2003 or Windows XP, which must be con-
nected to each other on a network.
xxx About This Book
Caution Exercises, as well as the changes you make to your test computer, might have
undesirable results if you are connected to a larger network. Check with your network admin-
istrator before attempting these exercises.
Hardware Requirements
The test computer must have the following minimum configuration. All hardware
should be in the Windows Server Catalog, and should meet the requirements listed at
http://www.microsoft.com/windows/catalog/server/default.aspx.
■ Minimum CPU: 133 MHz processor (733 MHz is recommended)
■ Minimum RAM: 128 MB (256 MB is recommended; 64 GB maximum)
■ Disk space for setup: 1.5 GB to 2.0 GB
■ Free disk space for installation of WSUS: 10 GB
■ Display monitor capable of 800 × 600 resolution or higher
■ CD-ROM or DVD-ROM drive
■ Microsoft Mouse or compatible pointing device
Software Requirements
The following software is required to complete the procedures in this training kit:
■ Windows Server 2003 SP1, Enterprise Edition, (A 180-day Evaluation Edition of
Windows Server 2003 with SP1 and R2, Enterprise Edition, is included on the
CD-ROM.)
■ Windows XP Professional (Not included on the CD-ROM. Required in optional
hands-on exercises only.)
Caution The 180-day Evaluation Edition provided with this training kit is not the full retail
product and is provided only for the purposes of training and evaluation. Microsoft Technical
Support does not support evaluation editions. For additional support information regarding
this book and the CD-ROMs (including answers to commonly asked questions about installa-
tion and use), visit the Microsoft Press Technical Support Web site at http://www.microsoft
.com/learning/support/books/. You can also e-mail tkinput@microsoft.com or send a letter to
Microsoft Press, Attn: Microsoft Press Technical Support, One Microsoft Way, Redmond, WA
98052-6399.
About This Book xxxi
Setup Instructions
Set up your computer according to the manufacturer’s instructions. The server should
be configured as follows:
■ Windows Server 2003 SP1, Enterprise Edition
Important The evaluation edition software provided with this training kit includes Service
Pack 1. Install Service Pack 1 (CD1) to complete the exercises in this training kit. Do not
install R2 (CD2) until you have completed the exercises. This version of R2 is for your refer-
ence only. It is not covered in the 70-290 exam and therefore is not covered in this training kit.
■ Computer name: Server01
■ Domain controller in the domain contoso.com
■ 1 GB of unpartitioned disk drive space
If you are very comfortable with the installation of Windows Server 2003, you may con-
figure the server using the above guidelines. Otherwise you may use the more com-
prehensive setup instructions that are provided in Chapter 1, “Introducing Microsoft
Windows Server 2003.”
The second computer will act as a second server or a Windows XP client for the
optional hands-on exercises in the course. Chapters that require a second computer
will provide configuration guidance in the “Before You Begin” section of the chapter.
Caution If your computers are connected to a larger network, you must verify with your net-
work administrator that the computer names, domain names, and other information used in
setting up Windows Server 2003, as described above and in Chapter 1, do not conflict with
network operations. If they conflict, ask your network administrator to provide alternative val-
ues and use those values throughout all the exercises in this book.
The Microsoft Press Readiness Review Suite
The CD-ROM includes a practice test of 300 sample exam questions and an objective
review with an additional 125 questions. Use these tools to reinforce your learning and
to identify any areas in which you need to gain more experience before taking the
exam.
To install the practice test and objective review
1. Insert the companion CD-ROM into your CD-ROM drive.
xxxii About This Book
On the CD If AutoRun is disabled on your machine, refer to the Readme.txt file on the
CD-ROM.
2. Click Readiness Review Suite on the user interface menu and follow the prompts.
The eBook
The CD-ROM includes an electronic version of this training kit, an eBook for the
Microsoft Windows Scripting Self− Paced Learning Guide by Ed Wilson, and bonus
material, including sample chapters from several Microsoft Press books and relevant
white papers. The eBook and the bonus materials are in Portable Document Format
(PDF) and can be viewed using Adobe Reader.
To use the eBook
1. Insert the companion CD-ROM into your CD-ROM drive.
On the CD If AutoRun is disabled on your machine, refer to the Readme.txt file on the
CD-ROM.
2. Click eBook on the user interface menu. You can also review any of the other
PDFs that are provided.
The Microsoft Certified Professional Program
The Microsoft certifications provide the best method to prove your command of cur-
rent Microsoft products and technologies. The exams and corresponding certifications
are developed to validate your mastery of critical competencies as you design and
develop, or implement and support, solutions with Microsoft products and technolo-
gies. Computer professionals who become Microsoft-certified are recognized as
experts and are sought after industry-wide. Certification brings a variety of benefits to
the individual and to employers and organizations.
See Also For a full list of Microsoft certifications, go to http://www.microsoft.com/learning
/itpro/default.asp.
About This Book xxxiii
Technical Support
Every effort has been made to ensure the accuracy of this book and the contents of the
companion disc. If you have comments, questions, or ideas regarding this book or the
companion disc, please send them to Microsoft Press using either of the following
methods:
E-mail: tkinput@microsoft.com
Postal Mail: Microsoft Press
Attn: MCSA/MCSE Self−Paced Training Kit (Exam 70−290): Managing
and Maintaining a Microsoft Windows Server 2003 Environment, Second
Edition, Editor
One Microsoft Way
Redmond, WA 98052-6399
For additional support information regarding this book and the CD-ROM (including
answers to commonly asked questions about installation and use), visit the Microsoft
Press Technical Support Web site at http://www.microsoft.com/learning/support/books.
To connect directly to the Microsoft Press Knowledge Base and enter a query, visit http:
//www.microsoft.com/mspress/support/search.asp. For support information regarding
Microsoft software, please connect to http://support.microsoft.com/.
Evaluation Edition Software Support
The 180-day Evaluation Edition provided with this training is not the full retail product
and is provided only for the purposes of training and evaluation. Microsoft and
Microsoft Technical Support do not support this evaluation edition.
Caution The Evaluation Edition of Windows Server 2003 with SP1 and R2, Enterprise Edition,
that is included with this book should not be used on a primary work computer. The evaluation
edition is unsupported. For online support information relating to the full version of Windows
Server 2003 R2, Enterprise Edition, that might also apply to the Evaluation Edition, you can
connect to http://support.microsoft.com/.
Information about any issues relating to the use of this Evaluation Edition with this
training kit is posted to the Support section of the Microsoft Press Web site (http:
//www.microsoft.com/learning/support/books/). For information about ordering the
full version of any Microsoft software, please call Microsoft Sales at (800) 426-9400
or visit http://www.microsoft.com.
Part I
Learn at Your Own Pace
1 Introducing Microsoft
Windows Server 2003
This chapter does not cover specific exam objectives. After introducing the Microsoft
Windows Server 2003 family of products, this chapter covers some installation and con-
figuration considerations with a focus on what you need to know for the 70-290 certi-
fication exam.
Why This Chapter Matters
The purpose of this book is to empower you to manage and maintain a Microsoft
Windows Server 2003 environment, and to prepare you effectively for the 70-290
certification examination. Although it is assumed that you have experience with
Microsoft Windows technologies, the Windows Server 2003 family and Microsoft
Active Directory directory service itself might be new to you. The goal of this
chapter, therefore, is to introduce you to the multiple versions and editions of
Windows Server 2003, so that you can identify the key distinctions among them
and determine the mix of versions that will most effectively meet the needs of
your organization. You will then be guided through the process of installing and
configuring a computer that is running Windows Server 2003 and that functions
as a domain controller in an Active Directory domain.
Lessons in this Chapter:
■ Lesson 1: The Windows Server 2003 Family . . . . . . . . . . . . . . . . . . . . . . . . .1-4
■ Lesson 2: Installation and Configuration of Windows Server 2003 and
Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-10
Before You Begin
This chapter will guide you through the steps required to configure a computer run-
ning Windows Server 2003. You will be able to use that computer for the hands-on
exercises throughout this training kit. The computer should have at least one disk drive
that can be erased and used to install Windows Server 2003.
1-3
1-4 Chapter 1 Introducing Microsoft Windows Server 2003
Lesson 1: The Windows Server 2003 Family
Windows Server 2003 is, of course, more secure, more reliable, more available, and
easier to administer than any previous version of Windows. Let’s take a close look at
the platform and how it compares to Microsoft Windows 2000. This lesson provides a
brief overview of the Windows Server 2003 family, focusing on the differences among
the product editions: Web Edition, Standard Edition, Enterprise Edition, and Datacenter
Edition. The lesson also summarizes the enhancements introduced by Service Pack 1
(SP1) and Windows Server 2003 R2.
After this lesson, you will be able to
■ Recognize the security improvements introduced by SP1
■ Understand the role of Windows Server 2003 R2 in the product lifecycle
■ Identify the key differences among the Windows Server 2003 editions
Estimated lesson time: 5 minutes
Introducing the Windows Server 2003 Server Family
Windows Server 2003 is an incremental update to the platform and technologies intro-
duced in Windows 2000. If you are coming to Windows Server 2003 with experience
from Windows 2000 servers, you will find the transition a relatively easy one. If your
experience is with Microsoft Windows NT 4, welcome to the new world!
But don’t let the incremental nature of the updates mislead you; behind the upgrades are
significant and long-awaited improvements to the security and reliability of the operating
system and to the administrative toolset. In many books, this would be the place where
you would get a laundry list of new features. Actually, the Windows Server 2003 list is
extensive and there are features that make upgrading to Windows Server 2003 an obvi-
ous choice for almost any administrator. However, the particular features that appeal to
you might be different from those that appeal to another IT professional.
You might be drawn to the significant features and improvements added to Active
Directory, the new tools to support popular but complex Group Policy Objects
(GPOs), the enhancements to enterprise security, the improvements to Terminal Ser-
vices, or a number of other enhanced capabilities of the new operating system. If you
are considering a move to Windows Server 2003, take a good look through the
Microsoft Web site for the platform, at http://www.microsoft.com/windowsserver2003,
and judge for yourself which improvements are, in your environment, truly significant.
Lesson 1 The Windows Server 2003 Family 1-5
Service Pack 1
Windows Server 2003 SP1 enhances the security of Windows Server 2003 by enabling
administrators to install a server with a significant number of security updates already
integrated into the operating system. You can also apply SP1 to existing Windows Server
2003 installations. New features, including Windows Firewall, Post-Setup Security
Updates (PSSU), and the Security Configuration Wizard (SCW), reduce security vulnera-
bilities by closing ports and reducing attack surface during post-setup configuration and
based on a server’s role. Throughout this second edition of the training kit, we will dis-
cuss the important changes introduced by SP1.
On the CD You can learn more about SP1 by reading the Windows Server 2003 Service Pack 1
Product Overview on the CD-ROM accompanying this book.
Windows Server 2003 R2
Windows Server 2003 R2 further extends the Windows Server 2003 operating system by
delivering features that do the following:
■ Facilitate the management of servers in branch offices
■ Improve identity management across platforms, applications, and organizations
■ Simplify storage configuration and management
■ Support rich, high-performance Web applications
■ Enable cost-effective server virtualization
Windows Server 2003 R2 builds on the code base of Windows Server 2003 SP1. In fact,
the first CD-ROM of a Windows Server 2003 R2 installation set is Windows Server 2003
with SP1. The second CD-ROM provides the installation of new features.
Important The 70-290 exam includes SP1, but it does not test your knowledge of features
introduced by R2. Therefore, the practices in this book assume you have not installed R2 fea-
tures. If you choose to install R2 features, you might have to modify the steps in the practices.
On the CD You can learn more about Windows Server 2003 R2 by reading the Windows
Server 2003 R2 Overview Guide on the CD-ROM accompanying this book.
1-6 Chapter 1 Introducing Microsoft Windows Server 2003
Windows Server 2003 Editions
Although the list of features introduced by Windows Server 2003 SP1 and R2 is exten-
sive, the evaluation of the operating system becomes more interesting because Win-
dows Server 2003 is available in multiple flavors including the 32-bit, 64-bit, and
embedded versions. But the most important distinctions are those among the four
product editions, listed here in order of available features and functionality, as well as
by price:
■ Windows Server 2003, Web Edition
■ Windows Server 2003, Standard Edition
■ Windows Server 2003, Enterprise Edition
■ Windows Server 2003, Datacenter Edition
Web Edition
To position Windows Server 2003 more competitively against other Web servers,
Microsoft has released a stripped-down-yet-impressive edition of Windows Server 2003
designed specifically for Web services. The feature set and licensing allows customers
easy deployment of Web pages, Web sites, Web applications, and Web services.
Web Edition supports 2 gigabytes (GB) of RAM and a two-way symmetric multiproces-
sor (SMP). It provides unlimited anonymous Web connections but only 10 inbound
server message block (SMB) connections, which should be more than enough for con-
tent publishing. The server cannot be an Internet gateway, DHCP or fax server.
Although you can remotely administer the server with Remote Desktop, the server can-
not be a terminal server in the traditional sense of supporting multiple concurrent user
sessions. The server can belong to a domain but cannot be a domain controller.
Windows Server 2003 R2 is not available in a Web Edition.
Standard Edition
Windows Server 2003, Standard Edition, is a robust, multipurpose server capable of
providing directory, file, print, application, multimedia, and Web services for small to
medium-sized businesses. Its comprehensive feature set is expanded, compared to
Windows 2000, with a free, out-of-the-box Post Office Protocol version 3 (POP3) ser-
vice which, combined with the included Simple Mail Transfer Protocol (SMTP) service,
allows a server to function as a small, stand-alone mail server; and Network Load Bal-
ancing (NLB), a useful tool that was included only with the Advanced Server edition of
Windows 2000.
The Standard Edition of Windows Server 2003 supports up to 4 GB of RAM and
four-way SMP.
Lesson 1 The Windows Server 2003 Family 1-7
Enterprise Edition
The Enterprise Edition of Windows Server 2003 is designed to be a powerful server
platform for medium- to large-sized businesses. Its enterprise-class features include
support for eight processors, 32 GB of RAM, and eight-node clustering (including clus-
tering based on a Storage Area Network [SAN] and geographically dispersed clustering)
and availability for 64-bit Intel Itanium-based computers, on which scalability increases
to 64 GB of RAM and 8-way SMP.
Other features that distinguish the Enterprise Edition from the Standard Edition include:
■ Support for Microsoft Metadirectory Services (MMS), which enables the integration
of multiple directories, databases, and files with Active Directory.
■ Hot Add Memory, so that you can add memory to supported hardware systems
without downtime or reboot.
■ Windows System Resource Manager (WSRM), which supports the allocation of
CPU and memory resources on a per-application basis.
Datacenter Edition
The Datacenter Edition, which is available only as an OEM version as part of a high-
end server hardware package, provides almost unfathomable scalability, with support
on 32-bit platforms for 32-way SMP with 64 GB of RAM and on 64-bit platforms for 64-
way SMP with 512 GB of RAM. There is also a 128-way SMP version that supports two
64-way SMP partitions.
64-Bit Editions
Windows Server 2003 SP1 Enterprise Edition and Windows Server 2003 SP1, Datacenter
Edition, are available for computers running Intel Itanium processors. Windows Server
2003 Standard x64 Edition, Enterprise x64 Edition, and Datacenter x64 Edition were
released in 2005 and share a code base with Windows Server 2003 SP1, even though
the x64 editions are not designated as SP1. These editions run on processors that
include AMD Opteron, AMD Athlon 64, Intel Xeon, and Pentium with Intel EM64T.
Each of the x64 editions, but not the Itanium versions, is available in the Windows
Server 2003 R2 server family.
Windows Server 64-bit editions provide for higher CPU clock speeds and faster float-
ing-point processor operations than the 32-bit editions. CPU coding improvements and
processing enhancements yield significantly faster computational operations. Increased
access speed to an enormous memory address space allows for smooth operation of
complex, resource-intensive applications such as massive database applications, scien-
tific analysis applications, and heavily accessed Web servers.
1-8 Chapter 1 Introducing Microsoft Windows Server 2003
Some features of the 32-bit editions are not available in the 64-bit editions. Most nota-
bly, the 64-bit editions do not support 16-bit Windows applications, real-mode appli-
cations, POSIX applications, or print services for Apple Macintosh clients.
On the CD You can learn more about 64-bit editions by reading Benefits of Windows x64
and 64-Bit Computing with Windows Server 2003 on the CD-ROM accompanying this book.
Windows Small Business Server 2003
Windows Small Business Server 2003 (SBS 2003), also available in the SP1 and R2 prod-
uct lines, delivers an out-of-the-box solution for small businesses that includes file and
print services, e-mail (Microsoft Exchange Server 2003 and Microsoft Outlook), intranet
and Web services (Microsoft Windows SharePoint Services), group faxing (Microsoft
Shared Fax Service), and, in the premium edition, Internet proxy and firewall
(Microsoft ISA Server), database (Microsoft SQL Server 2000 and, in R2, SQL Server
2005 Workgroup Edition) and Web development (Microsoft Office FrontPage 2003).
The 70-290 certification exam does not address features unique to SBS 2003.
See Also You can learn more about Windows Small Business Server 2003 at
http://www.microsoft.com/windowsserver2003/sbs.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. You are planning the deployment of computers running Windows Server 2003 for
a department of 250 employees. The server will host the home directories and
shared folders for the department, and it will serve several printers to which
departmental documents are sent. Which edition of Windows Server 2003 will pro-
vide the most cost-effective solution for the department?
2. You are planning the deployment of computers running Windows Server 2003
for a new Active Directory domain in a large corporation that includes multiple
separate Active Directory installations maintained by each of the corporation’s
subsidiaries. The company has decided to roll out Exchange Server 2003 as a
Lesson 1 The Windows Server 2003 Family 1-9
unified messaging platform for all the subsidiaries and plans to use Microsoft
Metadirectory Services (MMS) to synchronize appropriate properties of objects
throughout the organization. Which edition of Windows Server 2003 will pro-
vide the most cost-effective solution for this deployment?
3. You are rolling out servers to provide Internet access to your company’s e-com-
merce application. You anticipate four servers dedicated to the front-end Web
application and one server for a robust, active SQL database. Which editions will
provide the most cost-effective solution?
Lesson Summary
■ Windows Server 2003 SP1 delivered important security enhancements to the fam-
ily of products.
■ Windows Server 2003 R2 adds a number of features to Windows Server 2003 SP1.
The Windows Server 2003 R2 installation consists of two CD-ROMs, the first of
which installs the Windows Server 2003 SP1 operating system and the second of
which installs the features new to R2.
■ Windows Server 2003 is available in 64-bit as well as 32-bit versions.
■ The primary distinctions among versions of Windows Server 2003 are the product
editions: Web Edition, Standard Edition, Enterprise Edition, and Datacenter Edition,
each of which supports a subset of features honed to a specific purpose.
■ Taken as a whole, Windows Server 2003 is an upgrade to Windows 2000. How-
ever, the feature and security improvements are significant, and you are likely to
find that particular upgrades provide critical enhancements for your particular
environment.
1-10 Chapter 1 Introducing Microsoft Windows Server 2003
Lesson 2: Installation and Configuration of Windows Server
2003 and Active Directory
The 70-290 examination focuses on the management and maintenance of a Windows
Server 2003 environment. The objectives of the exam focus very little attention on
Active Directory itself; some of the objectives, however, relate to the administration of
Active Directory objects: users, groups, computers, printers, and shared folders in par-
ticular. The chapters that follow will explain the examination objectives in detail, and
hands-on exercises will be an important component of your learning experience.
Those exercises require you to have configured a domain controller running Windows
Server 2003. If you are comfortable configuring a domain controller and creating basic
user, group, and computer accounts, you can skip this lesson. If you are less familiar
with Active Directory, this lesson will provide sufficient foundation for you to embark
on a full exploration of Windows Server 2003.
After this lesson, you will be able to
■ Install Windows Server 2003 SP1
■ Identify the key structures and concepts of Active Directory
■ Create a domain controller
■ Create Active Directory objects including users, groups, and organizational units (OUs)
Estimated lesson time: 60 minutes
Installing and Configuring Windows Server 2003
As an experienced IT professional, you have no doubt spent considerable time install-
ing Windows platforms. Some of the important and enhanced considerations when
installing Windows Server 2003 SP1 are
■ Bootable CD-ROM installation Most administrators first became accustomed
to installing an operating system by booting from the CD-ROM in the late 1990s.
Windows Server 2003 continues the trend, and can be installed directly from the
CD-ROM. But Windows Server 2003 adds a twist: there is no support for starting
installation from floppy disks.
■ Improved graphical user interface (GUI) during setup Windows Server
2003 uses a GUI during setup that resembles that of Windows XP. It communicates
more clearly the current state of the installation and the amount of time required
to complete installation.
■ Post-Setup Security Updates (PSSU) After installation of the operating sys-
tem, a server remains vulnerable to exploits discovered after SP1 was released.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-11
To mitigate this vulnerability, PSSU by default enables Windows Firewall to pre-
vent inbound connections until an administrator has applied currently available
high-priority security updates and has enabled Automatic Updates.
■ Product activation Retail and evaluation versions of Windows Server 2003
require that you activate the product. Volume licensing programs, such as Open
License, Select License, or Enterprise Agreement, do not require activation.
The specific steps required to install and configure Windows Server 2003 SP1 are out-
lined in Exercises 1 and 2.
After installing, updating, and activating Windows Server 2003, you can configure the
server using a well-thought-out Manage Your Server page, as shown in Figure 1-1, that
launches automatically at logon. The page facilitates the installation of specific services,
tools, and configurations based on server roles. Click Add Or Remove A Role and the
Configure Your Server Wizard appears.
f01nw01
Figure 1-1 The Manage Your Server page
If you select Domain Controller (Active Directory), the Configure Your Server Wizard
promotes the server to a domain controller in a new domain, installs Active Directory
services, and, if needed, Domain Name Service (DNS), Dynamic Host Configuration
Protocol (DHCP), and Routing And Remote Access (RRAS) service.
If you select Custom Configuration, the Configure Your Server Wizard can configure
the following roles:
■ File Server Provides convenient, centralized access to files and directories for
individual users, departments, and entire organizations. Choosing this option
allows you to manage user disk space by enabling and configuring disk quota
1-12 Chapter 1 Introducing Microsoft Windows Server 2003
management and to provide improved file system search performance by enabling
the Indexing service.
■ Print Server Provides centralized and managed access to printing devices by
serving shared printers and printer drivers to client computers. Choosing this option
starts the Add Printer Wizard to install printers and their associated Windows printer
drivers. It also installs Internet Information Services (IIS 6.0) and configures Internet
Printing Protocol (IPP) and installs the Web-based printer administration tools.
■ Application Server (IIS, ASP.NET) Provides infrastructure components
required to support the hosting of Web applications. This role installs and config-
ures IIS 6.0 as well as ASP.NET and COM+.
■ Mail Server (POP3, SMTP) Installs POP3 and SMTP so that the server can act as
an e-mail server for POP3 clients.
■ Terminal Server Provides applications and server resources, such as printers
and storage, to multiple users as if those applications and resources were installed
on their own computers. Users connect with the Terminal Services or Remote
Desktop clients. Unlike Windows 2000, Windows Server 2003 provides Remote
Desktop for Administration automatically. Terminal Server roles are required only
when hosting applications for users on a terminal server.
■ Remote Access/VPN Server Provides multiple-protocol routing and remote
access services for dial-in, local area networks (LANs) and wide area networks
(WANs). Virtual private network (VPN) connections allow remote sites and users
to connect securely to the network using standard Internet connections.
■ Domain Controller (Active Directory) Provides directory services to clients in
the network. This option configures a domain controller for a new or existing
domain and installs DNS. Choosing this option runs the Active Directory Installa-
tion Wizard.
■ DNS Server Provides host name resolution by translating host names to IP
addresses (forward lookups) and IP addresses to host names (reverse lookups).
Choosing this option installs the DNS service and then starts the Configure A DNS
Server Wizard.
■ DHCP Server Provides automatic IP addressing services to clients configured
to use dynamic IP addressing. Choosing this option installs DHCP services and
then starts the New Scope Wizard to define one or more IP address scopes in the
network.
■ Streaming Media Server Provides Windows Media Services (WMS). WMS
enables the server to stream multimedia content over an intranet or the Internet.
Content can be stored and delivered on demand or delivered in real time.
Choosing this option installs WMS.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-13
■ WINS Server Provides computer name resolution by translating NetBIOS names
to IP addresses. It is not necessary to install Windows Internet Name Service
(WINS) unless you are supporting legacy operating systems such as Windows 95
or Windows NT. Operating systems such as Windows 2000 and Windows XP do
not require WINS, although legacy applications on those platforms might very
well require NetBIOS name resolution. Choosing this option installs WINS.
To complete the hands-on exercises in this book, you will configure a computer as
Server01, acting as a domain controller in the domain contoso.com. The steps for con-
figuring the server as a domain controller using the Configure Your Server Wizard are
listed in Exercise 3 at the end of this lesson.
Active Directory
Many books have been devoted to the planning, implementation, and support of
Active Directory. If you are experienced with Active Directory, you will recognize that
the following discussion has been simplified solely because it would take many books
to discuss all the detail. The goal of this section is to distill that information to what you
should know to approach the 70-290 exam.
Networks, Directory Services, and Domain Controllers
Networks were created on the day when the first user decided he or she did not want to
walk down the hall to get something from another user. In the end, networks are all
about providing resources remotely. Those resources are often files, folders, and printers.
Over time those resources have come to include many things, most significantly, e-mail,
databases, and applications. There has to be some mechanism to keep track of these
resources, providing, at a minimum, a directory of users and groups so that the resources
can be secured against undesired access.
Microsoft Windows networks support two directory service models: the workgroup
and the domain. The domain model is by far the more common in organizations imple-
menting Windows Server 2003. The domain model is characterized by a single direc-
tory of enterprise resources—Active Directory—that is trusted by all secure systems
that belong to the domain. Those systems can therefore use the security principals
(user, group, and computer accounts) in the directory to secure their resources. Active
Directory thus acts as an identity store, providing a single trusted list of Who’s Who in
the domain.
Active Directory itself is more than just a database, though. It is a collection of support-
ing files that includes transaction logs and the system volume, or Sysvol, that contains
logon scripts and Group Policy information. It is the services that support and use the
database, including Lightweight Directory Access Protocol (LDAP), Kerberos security
protocol, replication processes, and the File Replication Service (FRS). The database
1-14 Chapter 1 Introducing Microsoft Windows Server 2003
and its services are installed on one or more domain controllers. A domain controller
is a server that has been promoted by running the Active Directory Installation Wizard
by running DCPROMO from the command line or, as you will do in Exercise 3, by run-
ning the Configure Your Server Wizard. Once a server has become a domain controller,
it hosts a copy, or replica, of Active Directory and changes to the database on any
domain controller are replicated to all domain controllers within the domain.
Domains, Trees, and Forests
Active Directory cannot exist without at least one domain, and vice versa. A domain is
the core administrative unit of the Windows Server 2003 directory service. However, an
enterprise might have more than one domain in its Active Directory. Multiple domain
models create logical structures called trees when they share contiguous DNS names.
For example contoso.com, us.contoso.com, and europe.contoso.com share contiguous
DNS namespace, and would therefore be referred to as a tree.
If domains in an Active Directory do not share a common root domain, they create
multiple trees. That leads you to the largest structure in an Active Directory: the forest.
An Active Directory forest includes all domains within that Active Directory. A forest
might contain multiple domains in multiple trees, or just one domain. When more than
one domain exists, a component of Active Directory called the Global Catalog becomes
important because it provides information about objects that are located in other
domains in the forest.
Objects and Organizational Units (OUs)
Enterprise resources are represented in Active Directory as objects, or records in the
database. Each object has numerous attributes, or properties, that define it. For exam-
ple, a user object includes the user name and password; a group object includes the
group name and a list of its members.
To create an object in Active Directory, open the Active Directory Users And Comput-
ers console from the Administrative Tools program group. Expand the domain to
reveal its containers and OUs. Right-click a container or OU and select New
object_type.
Active Directory is capable of hosting millions of objects, including users, groups, com-
puters, printers, shared folders, sites, site links, Group Policy Objects (GPOs), and even
DNS zones and host records. You can imagine that without some kind of structure,
accessing and administering the directory would be a nightmare.
Structure is the function of a specific object type called an organizational unit, or OU. OUs
are containers within a domain that allow you to group objects that share common admin-
istration or configuration. But they do more than just organize Active Directory objects.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-15
They provide important administrative capabilities because they provide a point at which
administrative functions can be delegated and to which group policies can be linked.
Delegation
Administrative delegation relates to the simple idea that you might want a front-line
administrator to be able to change the password for a certain subset of users. Each
object in Active Directory (in this case, the user objects) includes an access control list
(ACL) that defines permissions for that object, just as files on a disk volume have ACLs
that define access for those files. So, for example, a user object’s ACL will define what
groups are allowed to reset its password. It would get complicated to assign the front-
line administrator permissions to change each individual user’s password, so instead
you can put all of those users in a single OU and assign that administrator the reset
password permission on the OU. That permission will be inherited by all user objects
in the OU, thereby allowing that administrator to modify permissions for all users.
Resetting user passwords is just one example of administrative delegation. There are
thousands of combinations of permissions that could be assigned to groups adminis-
tering and supporting Active Directory. OUs allow an enterprise to create an active rep-
resentation of its administrative model and to specify who can do what to objects in the
domain.
Group Policy
OUs are also used to collect objects—computers and users—that are configured simi-
larly. Just about any configuration you can make to a system can be managed centrally
through a feature of Active Directory called Group Policy. Group Policy allows you to
specify security settings, deploy software, and configure operating system and applica-
tion behavior without ever touching a machine. You simply implement your configu-
ration within a GPO.
GPOs are collections of hundreds of possible configuration settings, from user logon
rights and privileges to the software that is allowed to be run on a system. A GPO is
linked to a container within Active Directory—typically to an OU, but can also be
domains, or even sites—and all the users and computers beneath that container are
affected by the settings contained in the GPO.
You will likely see Group Policy referred to on the 70-290 exam. The important things
to remember about Group Policy are that it is a tool that can centrally implement con-
figuration; that some settings apply to computers only and some settings apply to users
only; and that the only computers or users that will be affected by a policy are those
that are beneath the OU to which the policy is linked.
1-16 Chapter 1 Introducing Microsoft Windows Server 2003
Learning More
As suggested earlier in this section, Active Directory is a large and complex topic that
deserves significant examination if you are going to implement Windows Server 2003
as a domain controller. The following Microsoft Press titles are recommended reading:
■ Active Directory for Microsoft Windows Server 2003 Technical Reference
■ MCSE Self−Paced Training Kit (Exam 70− 294): Planning, Implementing, and
Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure,
Second Edition
Practice: Installing and Configuring Windows Server 2003 SP1
In this practice, you will configure a computer to run Windows Server 2003 SP1. You
will then promote the server to become a domain controller in the contoso.com
domain.
Exercise 1: Installing Windows Server 2003 SP1
This exercise should be performed on a computer compatible with Windows Server
2003 SP1. It assumes that the primary hard drive is completely empty. If your disk
already has partitions configured, you can modify the exercise to match the configura-
tion of your system.
1. Configure the computer’s BIOS or the disk controller BIOS to boot from the CD-
ROM. If you are not sure how to configure your computer or disk controller to
boot from the CD-ROM, consult your hardware documentation.
2. Insert the Windows Server 2003 SP1 installation CD-ROM into the CD-ROM drive
and start the computer.
Note Use the Windows Server 2003 R2 Evaluation Edition CD 1 included with this book to
install Windows Server 2003 SP1.
3. If the primary disk is not empty, a message appears prompting you to press any
key to boot from the CD. If you see this message, press any key.
After the computer starts, a brief message appears explaining that your system
configuration is being inspected, and then the Windows Setup screen appears.
4. If your computer requires special mass storage drivers that are not part of the
Windows Server 2003 driver set, press F6 when prompted and provide the
appropriate drivers.
5. The system prompts you to press F2 to perform an Automated System Recovery
(ASR). ASR is a new feature in Windows Server 2003 that replaces the Emergency
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-17
Repair Disk feature of previous versions of Windows, and is described in Chapter
13. Do not press F2 at this time. Setup will continue.
Notice that the gray status bar at the bottom of the screen indicates that the com-
puter is being inspected and that files are loading. This is required to start a min-
imal version of the operating system.
6. If you are installing an evaluation version of Windows Server 2003, the Setup Noti-
fication screen appears informing you of this. Read the Setup Notification mes-
sage, and then press ENTER to continue.
Setup displays the Welcome To Setup screen.
Notice that, in addition to the initial installation of the operating system, you can
use Windows Server 2003 Setup to repair a damaged Windows installation. The
Recovery Console is described in Chapter 13.
7. Read the Welcome To Setup message, and then press ENTER to continue.
Setup displays the License Agreement screen.
8. Read the license agreement, pressing PAGE DOWN to scroll to the bottom of the
screen.
9. Press F8 to accept the agreement.
Setup displays the Windows Server 2003 Setup screen, prompting you to select an
area of free space or an existing partition on which to install the operating system.
This stage of setup provides a way for you to create and delete partitions on your
hard disk.
To complete the exercises in this book, you will need to configure a partition large
enough to host the operating system installation (recommended minimum size is
3 GB) and unallocated space of at least 1 GB. The following steps assume your
disk is at least 4 GB in size and is currently empty. You may make adjustments to
accommodate your situation.
10. Press C to create a partition.
11. To create a 3-GB partition, type 3072 in the Create Partition Of Size (In MB) box
and press ENTER.
12. Confirm that your partitioning is similar to that shown in Figure 1-2. Again, the rec-
ommendations for the hands-on exercises is a C partition of at least 3 GB and
1 GB of unpartitioned space.
1-18 Chapter 1 Introducing Microsoft Windows Server 2003
f01nw02
Figure 1-2 Partitioning the hard drive for setup
13. Select C Partition1 [New (Raw)] and press ENTER to install.
You are prompted to select a file system for the partition.
14. Verify that the Format The Partition Using The NTFS File System option is selected,
and press ENTER to continue.
Setup formats the partition with NTFS, examines the hard disk for physical errors
that might cause the installation to fail, copies files to the hard disk, and initializes
the installation. This process takes several minutes.
Eventually, Setup displays a red status bar that counts down for 15 seconds before
the computer restarts and enters the GUI mode of the setup process.
15. After the text mode of setup has completed, the system restarts. Do not, when
prompted, press a key to boot to the CD-ROM.
Windows Setup launches and produces a graphical user interface that tracks the
progress of installation in the left pane. Collecting Information, Dynamic Update,
and Preparing Installation options are selected. Collecting Information was com-
pleted before the GUI appeared, and Dynamic Update is not used when starting
from the CD-ROM. The system is now Preparing Installation by copying files to the
local disk drive.
16. On the Regional And Language Options page, choose settings that are appropriate
for your language and text input requirements, and then click Next.
Tip You can modify regional settings after you install the operating system using Regional
And Language Options in Control Panel.
Setup displays the Personalize Your Software page, prompting you for your name
and organization name.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-19
17. In the Name text box, type your name; in the Organization text box, type the
name of an organization, and then click Next.
Setup displays the Your Product Key page.
18. Enter the product key included with your Windows Server 2003 SP1 installation
CD-ROM (Evaluation edition software CD 1), and then click Next.
Setup displays the Licensing Modes dialog box, prompting you to select a
licensing mode.
19. Verify that the Per Server Number Of Concurrent Connections option is 5, and
then click Next.
Caution Per Server Number Of Concurrent Connections and five concurrent connections
are suggested values to be used to complete your self-study. You should use a legal number
of concurrent connections based on the actual licenses that you own. You can also choose to
use Per Device Or Per User option instead of Per Server.
Setup displays the Computer Name And Administrator Password page.
Notice that Setup uses your organization name to generate a suggested name for
the computer. If you didn’t enter an organization name earlier in the installation
process, Setup uses your name to generate part of the computer name.
20. In the Computer Name text box, type Server01.
The computer name displays in all capital letters regardless of how it is entered.
Throughout the rest of this self-paced training kit, the practices refer to Server01.
Caution If your computer is on a network, check with the network administrator before
assigning a name to your computer.
21. In the Administrator Password text box and the Confirm Password text box, type
a complex password for the Administrator account (one that others cannot easily
guess). Remember this password because you will be logging on as Administrator
to perform most hands-on exercises.
Important In a manual installation, Windows Server 2003 will not let you progress to sub-
sequent steps until you enter an Administrator password that meets complexity require-
ments. You are allowed to enter a blank password, though this practice is strongly
discouraged.
If the server has a modem installed, you will be presented with the Modem Dialing
Information dialog box.
1-20 Chapter 1 Introducing Microsoft Windows Server 2003
22. Type your area code, and then click Next.
The Date And Time Settings page appears.
23. Type the correct Date & Time and Time Zone settings, and then click Next.
Important Windows Server 2003 services depend on the computer’s time and date set-
tings. Be sure to enter the correct time and date, and to select the correct time zone for your
location.
Setup installs networking, and then the Networking Settings page appears.
24. Select Typical Settings, and then click Next.
The Workgroup Or Computer Domain page appears.
25. Verify that the first option is selected and that the workgroup name is Workgroup,
and then click Next.
Setup installs and configures the remaining operating system components. When
the installation is complete, the computer restarts automatically and the Welcome
To Windows dialog box appears. You may continue with Exercise 2.
Exercise 2: Performing Post-installation Configuration of Windows Server 2003
SP1
Windows Server 2003 SP1 and Windows Server 2003 R2 increase the security and reli-
ability of a server by guiding you through the steps required to apply software updates
that Microsoft has released subsequent to SP1. This process is called Windows Server
Post-Setup Security Updates (PSSU). To further enhance security, Windows Firewall
blocks all inbound connections, other than those specifically opened during setup or
by policy settings. After PSSU is complete, Windows Firewall is disabled.
After Windows Server 2003 has completed booting and the Welcome To Windows dia-
log box has appeared, complete the following steps:
1. Press CTRL+ALT+DELETE to initiate logon and type the password you configured for
the Administrator account.
If you installed the system using the Evaluation edition software included with this
book or any other version of Windows Server 2003 R2, you will be prompted to
insert CD 2, which contains the new features of R2.
Important The practices in this book assume you have not installed R2 features. If you
choose to install R2 features, you might have to modify the steps in the practices.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-21
2. Click Cancel to complete setup without installing R2 features. Windows Setup will
remind you that you can complete the installation of R2 features by running
Setup2.exe from CD 2. Click OK.
Note Some editions of Windows Server 2003, including the Evaluation Edition provided
with this book, require that you activate the operating system after you install it. Activation
must occur within 14 days of installation. The activation process is simple and can be com-
pleted over the Internet or by telephone. If you acquire your license to use Windows Server
2003 through one of the Microsoft volume licensing programs, you are not required to acti-
vate the license.
3. Click the balloon that appears in the System tray to initiate activation of Windows
Server 2003. Follow the prompts.
Note To activate by Internet, you will have to connect Server01 to the network and you
might have to adjust the TCP/IP properties of your network interface card (NIC) to reflect an
appropriate IP address, subnet mask, default gateway, and DNS server address.
The Windows Server Post-Setup Security Updates page appears. You will follow
the instructions on the page.
4. Click Update This Server.
The Microsoft Windows Update site opens in Internet Explorer. Internet Explorer
prompts you that Microsoft Internet Explorer’s Enhanced Security Configuration is
currently enabled.
5. Click OK to acknowledge the Internet Explorer Enhanced Security Configuration
message.
An Internet Explorer Security Warning prompts you to install Windows Update.
6. Click Install.
7. Follow the prompts of the Windows Update Web site to install updates. The exact
steps will vary depending on the updates that have been released by Microsoft
since the release of SP1. Typically, choosing an Express update will enable you to
install high-priority updates, including security updates. Certain updates might
require you to restart the server.
8. Repeat steps 4–8 until Windows Update reports that there are no high-priority
updates remaining.
Note In a production environment, it is recommended that you update your system using
Microsoft Update (http://update.microsoft.com/microsoftupdate) rather than Windows
Update. The Microsoft Update site delivers updates to Windows Server 2003 as well as a
range of Microsoft applications and services, including SQL Server and Exchange Server.
1-22 Chapter 1 Introducing Microsoft Windows Server 2003
9. On the Windows Server Post-Setup Security Updates page, click Configure Auto-
matic Updating For This Server.
The System Properties dialog box appears, with the Automatic Updates tab selected.
10. Click Automatic.
11. Click OK.
12. On the Windows Server Post-Setup Security Updates page, click Finish.
Windows Server Post-Setup Security Updates prompts you to confirm that you
have downloaded and installed all available security updates.
13. Click Yes.
Windows Firewall will be disabled, allowing inbound connections. You may
enable and configure Windows Firewall by opening Windows Firewall from
Control Panel.
The Manage Your Server page appears. You may continue with Exercise 3.
Exercise 3: Configuring the Server
In this exercise, you will configure the server as the first domain controller in an Active
Directory domain called contoso.com.
Note When the Active Directory Installation Wizard is launched, the steps that it prompts
you to follow will differ based on whether it detects another domain on the network. The steps
presented below assume you are running the wizard on an isolated network. If you are con-
nected to a network with another domain, the steps might vary, and you may either modify
your choices appropriately or disconnect from the network prior to performing the exercise.
1. If it is not already open, open the Manage Your Server page from the Administra-
tive Tools program group.
2. Click Add Or Remove A Role. The Configure Your Server Wizard appears.
3. Click Next and the Configure Your Server Wizard detects network settings.
4. Click Domain Controller (Active Directory), and then click Next.
5. In Active Directory Domain Name, type contoso.com.
6. Verify that NetBIOS Domain Name reads CONTOSO and click Next.
7. Verify that the Summary Of Selections matches that shown in Figure 1-3 and
click Next.
The Configure Your Server Wizard reminds you that the system will restart and
asks you to close any open programs.
Lesson 2 Installation and Configuration of Windows Server 2003 and Active Directory 1-23
f01nw03
Figure 1-3 Summary Of Selections
8. Click Yes.
9. After the system has restarted, log on as Administrator.
10. The Configure Your Server Wizard will summarize its final steps, as shown in
Figure 1-4.
f01nw04
Figure 1-4 The Configure Your Server Wizard
11. Click Next and then click Finish.
12. Open Active Directory Users And Computers from the Administrative Tools pro-
gram group. Confirm that you now have a domain called contoso.com by expand-
ing the domain and locating the computer account for Server01 in the Domain
Controllers OU.
1-24 Chapter 1 Introducing Microsoft Windows Server 2003
Lesson Review
1. Which of the following versions of Windows Server 2003 require product activa-
tion? (Choose all that apply.)
a. Windows Server 2003, Standard Edition, retail version
b. Windows Server 2003, Enterprise Edition, evaluation version
c. Windows Server 2003, Enterprise Edition, Open License version
d. Windows Server 2003, Standard Edition, Volume License version
2. What are the distinctions among a domain, a tree, and a forest in Active Directory?
3. Which of the following is true about setup in Windows Server 2003 SP1? (Choose
all that apply.)
a. Setup can be launched by booting to the CD-ROM.
b. Setup can be launched by booting to setup floppies.
c. Setup requires a nonblank password to meet complexity requirements.
d. Setup will allow you to enter all 1’s for the Product ID.
e. The server will not allow inbound connections until after PSSU has been
completed.
Lesson Summary
1. Windows Server 2003 retail and evaluation versions require product activation.
2. Windows Server 2003 SP1 Post-Setup Security Updates enables Windows Firewall
and, thereby, prevents inbound connections, until an administrator applies high-
priority security updates and enables Automatic Updates.
3. The Manage Your Server page and the Configure Your Server Wizard provide
helpful guidance to the installation and configuration of additional services based
on the desired server role.
4. Active Directory—the Windows Server 2003 directory service—is installed on a
server using the Active Directory Installation Wizard, which is launched using the
Configure Your Server Wizard or by running DCPROMO from the command line.
Chapter 1 Introducing Microsoft Windows Server 2003 1-25
Questions and Answers
Page Lesson 1 Review
1-8
1. You are planning the deployment of computers running Windows Server 2003 for
a department of 250 employees. The server will host the home directories and
shared folders for the department, and it will serve several printers to which
departmental documents are sent. Which edition of Windows Server 2003 will pro-
vide the most cost-effective solution for the department?
Windows Server 2003, Standard Edition, is a robust platform for file and print services in a
small to medium-sized enterprise or department.
2. You are planning the deployment of computers running Windows Server 2003 for a
new Active Directory domain in a large corporation that includes multiple separate
Active Directory installations maintained by each of the corporation’s subsidiaries.
The company has decided to roll out Exchange Server 2003 as a unified messaging
platform for all the subsidiaries, and plans to use Microsoft Metadirectory Services
(MMS) to synchronize appropriate properties of objects throughout the organization.
Which edition of Windows Server 2003 will provide the most cost-effective solution
for this deployment?
Windows Server 2003, Enterprise Edition, is the most cost-effective solution that supports
MMS. Standard and Web editions do not support MMS.
3. You are rolling out servers to provide Internet access to your company’s e-com-
merce application. You anticipate four servers dedicated to the front-end Web
application and one server for a robust, active SQL database. Which editions will
provide the most cost-effective solution?
Windows Server 2003, Web Edition, provides a cost-effective platform for the four Web applica-
tion servers. However, Web Edition will not support enterprise applications such as SQL Server;
the edition of MSDE included with Web Edition allows only 25 concurrent connections. There-
fore, Windows Server 2003, Standard Edition, provides the most cost-effective platform for a
SQL Server.
Page Lesson 2 Review
1-24
1. Which of the following versions of Windows Server 2003 require product activa-
tion? (Choose all that apply.)
a. Windows Server 2003, Standard Edition, retail version
b. Windows Server 2003, Enterprise Edition, evaluation version
c. Windows Server 2003, Enterprise Edition, Open License version
d. Windows Server 2003, Standard Edition, Volume License version
The correct answers are a and b.
1-26 Chapter 1 Introducing Microsoft Windows Server 2003
2. What are the distinctions among a domain, a tree, and a forest in Active Directory?
A domain is the core administrative unit in Active Directory. A forest is the scope of Active Direc-
tory. A forest must contain at least one domain. If a forest contains more than one domain,
domains that share a contiguous DNS namespace—meaning domains that have a common
root domain—create a tree. Domains that do not share contiguous DNS namespace create dis-
tinct trees within the forest.
3. Which of the following is true about setup in Windows Server 2003? (Choose all
that apply.)
a. Setup can be launched by booting to the CD-ROM.
b. Setup can be launched by booting to setup floppies.
c. Setup requires that a nonblank password meet default complexity requirements.
d. Setup will allow you to enter all 1’s for the Product ID.
e. The server will not allow inbound connections until after PSSU has been
completed.
The correct answers are a, c, and e.
2 Administering Microsoft
Windows Server 2003
Exam Objectives in this Chapter:
■ Manage servers remotely
❑ Manage a server by using Remote Assistance
❑ Manage a server by using Terminal Services remote administration mode
❑ Manage a server by using available support tools
■ Troubleshoot Terminal Services
❑ Diagnose and resolve issues related to Terminal Services security
❑ Diagnose and resolve issues related to client access to Terminal Services
Why This Chapter Matters
Microsoft Windows Server 2003 administrative tools, called snap− ins, enable you
to manage user accounts, modify computer software and service settings, install
new hardware, and perform many other tasks. The Microsoft Management Con-
sole (MMC) provides the framework within which these snap-ins operate.
Although the default consoles delivered with Windows Server 2003 contain one
or more snap-ins related to a single task, MMCs can be customized to fit the exact
needs of the administrator and the task at hand. Many MMC snap-ins also support
remote administration, allowing you to connect to and manage another computer
without requiring “sneaker net” (a physical visit to the other computer).
Windows Server 2003 provides several other important options for remote sys-
tems management. When you require more control than you can achieve using
the remote connection supported by MMC snap-ins, you can leverage Remote
Desktop For Administration and Remote Assistance. Remote Desktop For Admin-
istration opens a session that gives you complete control of a remote system as if
you were logged on locally at the computer’s console. Remote Desktop is akin to
“remote control” software such as PCAnywhere or Virtual Network Computer
(VNC), but it is fully integrated and supported with Microsoft Windows XP and
Windows Server 2003. Remote Assistance is used to connect to an existing session
on a remote computer, allowing you to view or even control what another user is
doing in that session. Remote Assistance is particularly useful for user support
scenarios, when you need to see and help a user.
2-1
2-2 Chapter 2 Administering Microsoft Windows Server 2003
Finally, Windows Server 2003 supports traditional Terminal Services functionality
so that multiple users can connect to and open sessions on a single server. Ter-
minal Services and the Remote Desktop client reduce the costs of support and
management because the installation and configuration of applications is per-
formed only once: on the terminal server itself. User desktops act as “terminals”
and require only an operating system and the Remote Desktop client. In fact,
users can connect to a terminal server using a hardware-based or software-based
thin client. This chapter will explore each of these options for administration and
support of local and remote systems.
Lessons in this Chapter:
■ Lesson 1: The Microsoft Management Console . . . . . . . . . . . . . . . . . . . . . . .2-3
■ Lesson 2: Managing Computers Remotely with the MMC . . . . . . . . . . . . . . . .2-9
■ Lesson 3: Managing Servers with Remote Desktop For Administration . . . . . 2-13
■ Lesson 4: Using Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
■ Lesson 5: Terminal Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-29
Before You Begin
To perform the practices related to the objectives in this chapter, you must have
■ A computer that has Windows Server 2003 installed and operating. To follow the
examples directly, your server should be named Server01 and function as a
domain controller in the contoso.com domain.
■ A configured and functioning Transmission Control Protocol/Internet Protocol
(TCP/IP) network to which your console and remote administrative target comput-
ers can connect (for administration of remote computers).
■ A second computer running Windows Server 2003, named Server02 and config-
ured as a member server in the contoso.com domain.
Lesson 1 The Microsoft Management Console 2-3
Lesson 1: The Microsoft Management Console
The administrative framework of Windows Server 2003 is the MMC. The MMC provides
a standardized, common interface for one or more tools, called snap-ins, that are spe-
cialized for individual tasks. The default administrative tools in Windows Server 2003
are MMCs with one or more snap-ins suited to a specific purpose. The Active Directory
Users And Computers administrative tool, for example, is an MMC with the Active
Directory Users And Computers snap-in.
After this lesson, you will be able to
■ Configure an MMC with individual snap-ins
■ Configure an MMC with multiple snap-ins
■ Save an MMC in Author or User mode
Estimated lesson time: 15 minutes
The MMC
The MMC provides a two-paned framework consisting of a console tree pane, also
called a scope pane, and a details pane. The MMC menus and a toolbar provide com-
mands for manipulating the parent and child windows, snap-ins, and the console itself.
Navigating the MMC
An empty MMC is shown in Figure 2-1. Note that the console has a name and that there
is a Console Root. This Console Root will contain any snap-ins that you choose to
include.
f02nw01
Figure 2-1 An empty MMC
2-4 Chapter 2 Administering Microsoft Windows Server 2003
Each console includes a console tree, console menu and toolbars, and the details pane.
The contents of these will vary, depending on the design and features of the snap-in
you use. Figure 2-2 shows a populated MMC with two snap-ins loaded.
f02nw02
Figure 2-2 A populated MMC
Using the MMC Menus and Toolbar
Although each snap-in will add its unique menu and toolbar items, there are several
key menus and commands that you will use in many situations that are common to
most snap-ins, as shown in Table 2-1.
Table 2-1 Common MMC Menus and Commands
Menu Commands
File Create a new console, open an existing console, add or remove snap-ins
from a console, set options for saving a console, the recent console file list,
and an exit command
Action Varies by snap-in but generally includes export, output, configuration, and
help features specific to the snap-in
View Varies by snap-in, but includes a customize option to change general console
characteristics
Favorites Allows for adding and organizing saved consoles
Window Open a new window, cascade, tile, and switch between open child windows
in this console
Help General help menu for the MMC as well as loaded snap-in help modules
Lesson 1 The Microsoft Management Console 2-5
Extending the MMC with Snap-Ins
Each MMC contains a collection of one or more tools called snap− ins. A snap-in
extends the MMC by adding specific management capability and functionality. There
are two types of snap-ins: stand-alone and extension.
Stand-Alone Snap-Ins
Stand− alone snap− are provided by the developer of an application. All administra-
ins
tive tools for Windows Server 2003, for example, are either single snap-in consoles or
consoles with a combination of snap-ins useful to a particular task. The File Server
Management console (Filesvr.msc), for example, contains snap-ins to facilitate the con-
figuration, monitoring, and optimization of file server storage and shares.
Extension Snap-Ins
Extension snap− ins, or extensions, are designed to work with one or more stand-alone
snap-ins. When you add an extension, Windows Server 2003 places the extension into
the appropriate location within the stand-alone snap-in.
Many snap-ins can act as a stand-alone snap-in or extend the functionality of other
snap-ins. For example, the Event Viewer snap-in can operate as a stand-alone snap-in,
as in the Event Viewer console, and is an available extension for the Computer Man-
agement snap-in.
Building a Customized MMC
You can combine one or more snap-ins to create customized MMCs, which you can
then use to consolidate the tools you require for administration.
To create a customized MMC:
1. Click Start, and then select Run.
2. In the Open text box, type mmc and then click OK. A blank MMC will appear.
3. Select the File menu, and then select Add/Remove Snap-In. The Add/Remove
Snap-In dialog box appears with the Standalone tab active. Note that no snap-ins
are loaded.
4. Click Add to display the Add Stand-alone Snap-In dialog box. Locate the snap-in
you want to add, and then click Add. Many snap-ins prompt you to specify
whether you wish to focus the snap-in on the local computer or another computer
on the network.
5. When you have added all the snap-ins you require, close the dialog boxes.
6. To save the customized MMC, select the File menu and then select Save.
2-6 Chapter 2 Administering Microsoft Windows Server 2003
Off the Record Spend a few minutes analyzing your daily tasks and group them by type of
function and frequency of use. Build two or three customized consoles that contain the tools
that you use most often. You will save quite a bit of time not needing to open, switch among,
and close tools as often.
Console Options
Console options determine how an MMC operates in terms of what nodes in the con-
sole tree may be opened, what snap-ins may be added, and what windows may be cre-
ated. You configure console options in the Options dialog box, which you can open by
clicking Options on the File menu.
Author Mode
When you save a console in Author mode, which is the default, you enable full access
to all of the MMC functionality, including:
■ Adding or removing snap-ins
■ Creating windows
■ Creating taskpad views and tasks
■ Viewing portions of the console tree
■ Changing the options on the console
■ Saving the console
User Modes
If you plan to distribute an MMC with specific functions, you can set the desired User
mode and then save the console. By default, consoles will be saved in the Administra-
tive Tools folder in the users’ profile. Table 2-2 describes the user modes that are avail-
able for saving the MMC.
Table 2-2 MMC User Modes
Type of User Mode Description
Full Access Allows users to navigate between snap-ins, open windows, and access all
portions of the console tree.
Limited Access, Prevents users from opening new windows or accessing a portion of the
Multiple Windows console tree but allows them to view multiple windows in the console.
Limited Access, Prevents users from opening new windows or accessing a portion of the
Single Window console tree and allows them to view only one window in the console.
Lesson 1 The Microsoft Management Console 2-7
Note MMCs, when saved, have an *.msc extension. Active Directory Users And Comput-
ers, for example, is named Dsa.msc (Directory Services Administrator.msc).
Tip Create administrative consoles for your administrators by saving customized consoles,
optionally in a restricted User mode, and distributing the resulting .msc files. Any snap-in
used in a custom console must be installed on the system. This means, for example, that you
must have installed the Windows Server 2003 administrative tools, Adminpak.msi, on a sys-
tem for a console with the Active Directory Users And Computers snap-in to function.
Practice: Building and Saving Consoles
In this practice, you will create, configure, and save an MMC.
Exercise 1: An Event Viewer Console
1. Click Start, and then click Run.
2. In the Open text box, type mmc, and then click OK.
3. Maximize the Console1 and Console Root windows.
4. From the File menu, choose Options to view the configured console mode.
In what mode is the console running?
5. Verify that the Console Mode drop-down list box is in Author mode, and then
click OK.
6. From the File menu, click Add/Remove Snap-In.
The Add/Remove Snap-In dialog box appears with the Standalone tab active. Note
that there are no snap-ins loaded.
7. In the Add/Remove Snap-In dialog box, click Add to display the Add Standalone
Snap-In dialog box.
8. Locate the Event Viewer snap-in, and then click Add.
The Select Computer dialog box appears, allowing you to specify the computer
you want to administer. You can add the Event Viewer snap-in for the local com-
puter on which you are working, or if your local computer is part of a network,
you can add Event Viewer for a remote computer.
9. In the Select Computer dialog box, select Local Computer, and then click Finish.
2-8 Chapter 2 Administering Microsoft Windows Server 2003
10. In the Add Standalone Snap-In dialog box, click Close, and then in the Add/Remove
Snap-Ins dialog box, click OK.
Event Viewer (Local) now appears in the console tree. You may adjust the width
of the console tree pane and expand any nodes that you want to view.
11. On your own, add a snap-in for Device Manager (local).
12. Save the MMC as MyEvents.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What is the default mode when creating an MMC?
2. Can a snap-in have focus on both the local computer and a remote computer
simultaneously?
3. If you want to limit the access of a snap-in, how do you construct the MMC that
contains the snap-in?
Lesson Summary
The MMC is a powerful framework for organizing and consolidating administrative
snap-ins. The hierarchical display, similar to that of Windows Explorer, offers a familiar
view of snap-in features in a folder-based paradigm. There are two types of snap-ins,
stand-alone and extension, with extensions appearing and behaving within the MMC
based on the context of their placement. Any console can be configured to work in
either of two modes, Author or User, with the User mode supporting various levels of
restricted functionality in the saved console.
Lesson 2 Managing Computers Remotely with the MMC 2-9
Lesson 2: Managing Computers Remotely with the MMC
In Lesson 1, you learned that you can build a customized MMC with snap-ins that are
focused on remote computers. In addition, many snap-ins allow you to change the
focus of the snap-in by right-clicking the snap-in in the console tree and choosing a
command such as Connect To Another Computer, Connect To Domain, Connect To
Domain Controller, and so forth. Using the MMC to remotely manage another system
(as shown in Figure 2–3) can save you the time and cost of a physical visit to the
computer.
f02nw03
Figure 2-3 Connecting to a user’s computer with the Computer Management console
After this lesson, you will be able to
■ Construct an MMC to manage a computer remotely
Estimated lesson time: 10 minutes
Setting Up the Snap-in for Remote Use
To connect to and manage another system using the Computer Management console,
you must launch the console with an account that has administrative credentials on the
remote computer. If your credentials do not have sufficient privileges on the target
computer, snap-ins will load, but they either will function in read-only mode or will not
display any information.
2-10 Chapter 2 Administering Microsoft Windows Server 2003
Tip You can use Run As, or secondary logon, to launch a console with credentials other
than those with which you are currently logged on.
When you’re ready to manage a remote system, you may open an existing console
with the appropriate snap-in loaded or configure a new MMC and configure the remote
connection when you add the snap-in. To remotely manage a system using the existing
Computer Management console, for example, follow these steps:
1. Open the Computer Management console by right-clicking My Computer and
choosing Manage from the shortcut menu.
2. Right-click Computer Management in the console tree and choose Connect To
Another Computer.
3. In the dialog box shown in Figure 2-4, type the name or IP address of the computer
or browse the network for the remote computer, and then click OK to connect.
f02nw04
Figure 2-4 Setting the Local/Remote Context for a snap-in
Once connected, you can perform administrative tasks on the remote computer.
When you connect to a remote system using the MMC, you connect using remote pro-
cedure calls (RPCs). If the remote system has Windows Firewall enabled, the default
firewall configuration will prevent inbound RPC traffic. To enable remote administra-
tion using the MMC, configure the firewall exception for remote administration. This
exception opens TCP ports 135 and 445 and adds program exceptions for Svchost.exe
and Lsass.exe to allow hosted services to open additional, dynamically assigned ports,
typically in the range of 1024 to 1034. It also enables a computer to receive unsolicited
incoming Distributed Component Object Model (DCOM) and RPC traffic.
To configure this exception, open the local or a domain-based Group Policy Object
(GPO) and navigate to the Computer Configuration, Administrative Templates, Net-
work, Network Connections, Windows Firewall node. Then open the Domain Profile,
which specifies firewall configuration when a system is connected to the domain. In
the details pane, double-click the Windows Firewall: Allow Remote Administration
Lesson 2 Managing Computers Remotely with the MMC 2-11
Exception policy setting. Enable the policy and specify the IP addresses from which
remote administration will be allowed.
For more information about working with GPOs, consult the Windows Help And Sup-
port Center and the online help in the Group Policy Management Console and the
Group Policy Object Editor consoles.
Practice: Adding a Remote Computer for Management (Optional)
Note This practice requires that you have a computer available for remote connection, and
that you have administrative privileges on that computer.
Exercise 1: Connecting Remotely with the MMC
In this exercise, you will modify an existing MMC to connect to a remote computer.
1. Open the saved MMC from the exercise in Lesson 1 (MyEvents).
2. From the File menu, click Add/Remove Snap-In.
3. In the Add/Remove Snap-In dialog box, click Add to display the Add Standalone
Snap-In dialog box.
4. Locate the Computer Management snap-in, and then click Add.
5. In the Computer Management dialog box, select Another Computer.
6. Type the name or IP address of the computer, or browse the network for it, and
then click Finish to connect.
7. Click Close in the Add Standalone Snap-In dialog box, and then click OK to load
the Computer Management snap-in to your MyEvents console.
You can now use the management tools to administer the remote computer.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What credentials are required for administration of a remote computer using
the MMC?
2-12 Chapter 2 Administering Microsoft Windows Server 2003
2. Can an existing MMC snap-in be changed from local to remote context, or must a
snap-in of the same type be loaded into the MMC for remote connection?
3. Are all functions within a snap-in used on a local computer usable when con-
nected remotely?
Lesson Summary
Many MMC snap-ins support the ability to connect either to the local computer or to
remote computers. You can establish the connection to a remote computer when the
snap-in is added to a console or after it is added by right-clicking an existing snap-in
and choosing Connect. You must have administrative privileges on the target system to
use snap-ins to manage a remote computer. In addition, if the Windows Firewall is
enabled, you must configure the exception for remote administration; otherwise,
inbound connections will be blocked.
Lesson 3 Managing Servers with Remote Desktop For Administration 2-13
Lesson 3: Managing Servers with Remote Desktop For
Administration
The Windows 2000 Server family introduced a tightly integrated suite of tools and tech-
nologies that enabled Terminal Services for both remote administration and application
sharing. The evolution has continued: Terminal Services is now an integral, default
component of the Windows Server 2003 family, and Remote Desktop has been
improved and positioned as an out-of-the-box capability, so that with one click, a com-
puter running Windows Server 2003 will allow two concurrent connections for remote
administration. By adding the Terminal Server component and configuring appropriate
licensing, an administrator can further extend the technologies to allow multiple users
to run applications on the server. In this lesson, you will learn how to enable Remote
Desktop For Administration.
After this lesson, you will be able to
■ Configure a server to enable Remote Desktop For Administration
■ Assign users to the appropriate group to allow them to administer servers remotely
■ Connect to a server using Remote Desktop For Administration Connection
Estimated lesson time: 15 minutes
Enabling and Configuring Remote Desktop For Administration
The Terminal Services service enables Remote Desktop, Remote Assistance, and Termi-
nal Server for application sharing. The service is installed by default on Windows
Server 2003 and configured to support Remote Desktop For Administration. Remote
Desktop For Administration allows only two concurrent remote connections and does
not include the application sharing components of Terminal Server. Therefore, Remote
Desktop For Administration operates with very little overhead on the system and with
no additional licensing requirements. You must install other components—Terminal
Server and the Terminal Server Licensing service—using Add Or Remove Programs.
Note Because Terminal Services and its dependent Remote Desktop For Administration are
default components of Windows Server 2003, every server has the capability to provide
remote connections to its console. The term “terminal server” now therefore refers specifi-
cally to a computer running Windows Server 2003 that provides application sharing to multi-
ple users through addition of the Terminal Server component. Terminal Server is discussed in
detail in Lesson 5.
2-14 Chapter 2 Administering Microsoft Windows Server 2003
All the administrative tools required to configure and support client connections and to
manage Terminal Services are installed by default on every computer running Windows
Server 2003. Each of the tools and their functions are described in Table 2-3.
Table 2-3 Default Components of Terminal Server and Remote Desktop
Installed Software Purpose
Terminal Services Setting properties on the Terminal Server, including session, network,
Configuration client desktop, and client remote control settings
Terminal Services Sending messages to connected Terminal Server clients, disconnecting
Manager or logging off sessions, and establishing remote control or shadowing
of sessions
Remote Desktop Client Installation of the Windows Server 2003 or Windows XP Remote Desk-
Installation Files top Client application. The 32-bit Remote Desktop client software can
be installed from %Systemroot%System32ClientsTsclientWin32 of
the Terminal Server.
Terminal Services Configuration of licenses for client connections to a terminal server.
Licensing This tool is not applicable for environments that use only Remote
Desktop For Administration.
To enable Remote Desktop connections on a computer running Windows Server 2003,
open the System properties from Control Panel. In the Remote tab, select Allow Users
To Connect Remotely To This Computer.
Note If the Terminal Server is a Domain Controller, you must also configure the Group Pol-
icy on the Domain Controller to allow connection through Terminal Services to the Remote
Desktop Users group. By default, Domain Controllers allow only members of the Administra-
tors group to log on using Terminal Services. Member servers will allow Terminal Services
connections by the Remote Desktop Users group by default.
Remote Desktop Connection
Remote Desktop Connection is the client-side software used to connect to a server in
the context of either Remote Desktop or Terminal Server modes. There is no functional
difference from the client perspective between Remote Desktop For Administration
and Terminal Server.
On computers running Windows XP and Windows Server 2003, Remote Desktop Con-
nection is installed by default, though it is not easy to find in its default location in the
All ProgramsAccessoriesCommunications program group on the Start menu.
Lesson 3 Managing Servers with Remote Desktop For Administration 2-15
For other platforms, Remote Desktop Connection can be installed from the Windows
Server 2003 CD or from the client installation folder (%Systemroot%System32Clients
TsclientWin32) on any computer running Windows Server 2003. The .msi-based
Remote Desktop Connection installation package can be distributed to Windows 2000
systems using Group Policy or SMS.
Tip It is recommended that you update previous versions of the Terminal Services client to
the latest version of Remote Desktop Connection. Doing so will provide the most efficient,
secure and stable environment possible through improvements such as a revised user inter-
face, 128-bit encryption, and alternate port selection.
Figure 2-5 shows the Remote Desktop client configured to connect to Server01 in the
contoso.com domain.
f02nw05
Figure 2-5 Remote Desktop client
Configuring the Remote Desktop Client
You can control many aspects of the Remote Desktop connection from both the client
and server sides. Table 2-4 lists configuration settings and their use. You manage client-
side configuration in the Remote Desktop Connection client. You configure server-side
settings using the Terminal Services Configuration console. The vast majority of server-
side settings are found within the Properties dialog box for the RDP-Tcp connection.
Any setting that conflicts between the configuration of the server and the client is
resolved using the server’s setting.
2-16 Chapter 2 Administering Microsoft Windows Server 2003
Table 2-4 Remote Desktop Settings
Setting Function
Client Settings
General Options for the selection of the computer to which connection should be
made, the setting of static log on credentials, and the saving of settings for
this connection.
Display Controls the size of the Remote Desktop client window, color depth, and
whether control-bar functions are available in full-screen mode.
Local Resources Options to bring sound events to your local computer, in addition to stan-
dard mouse, keyboard, and screen output. How the Windows key combi-
nations are to be interpreted by the remote computer (for example,
ALT+TAB), and whether local disk, printer, and serial port connections
should be available to the remote session.
Programs Set the path and target folder for any program you want to start, once the
connection is made.
Experience Categories of display functions can be enabled or disabled based on avail-
able bandwidth between the remote and local computers. Items include
showing desktop background, showing the contents of the window while
dragging, menu and window animation, themes, and whether bitmap
caching should be enabled (this transmits only the changes in the screen
rather than repainting the entire screen on each refresh period).
Server Settings
Logon Settings Static credentials can be set for the connection rather than using those
provided by the client.
Sessions Settings for ending a disconnected session, session limits and idle timeout,
and reconnection allowance can be made here to override the client set-
tings.
Environment Overrides the settings from the user’s profile for this connection for start-
ing a program upon connection. Path and target settings set here override
those set by the Remote Desktop Connection.
Permissions Allows for additional permissions to be set on this connection.
Remote Control Specifies whether remote control of a Remote Desktop Connection session
is possible, and if it is, whether the user must grant permission at the initi-
ation of the remote control session. Additional settings can restrict the
remote control session to viewing only, or allow full interactivity with the
Remote Desktop client session.
Client Settings Overrides settings, from the client configuration, controls color depth, and
disables various communication (I/O) ports.
Network Specifies which network cards on the server will accept Remote Desktop
Adapters For Administration connections.
General Sets the encryption level and authentication mechanism for connections to
the server.
Lesson 3 Managing Servers with Remote Desktop For Administration 2-17
Tip You may also establish connections for Remote Desktop For Administration using the
Remote Desktops snap-in or the Mstsc.exe command. Both of these clients support con-
necting to the console session (Session 0) of a server, which is identical to the session you
would receive if you logged on interactively to the server. A console session enables you to
perform actions that are restricted in other Remote Desktop For Administration sessions
(Sessions 1 or 2).
Terminal Services Troubleshooting
When using Remote Desktop For Administration, you are creating a connection to a
session running on the server. There are several potential causes of failed connections
or problematic sessions:
■ Network failures Errors in standard TCP/IP networking can cause a Remote
Desktop connection to fail or be interrupted. If DNS is not functioning, a client
might not be able to locate the server by name. If routing is not functioning, or the
Terminal Services port (by default, port 3389) misconfigured on either the client or
the server, the connection will not be established.
■ Firewall settings Remote Desktop and Terminal Services use TCP port 3389 by
default. Any firewall on the server, or between the server and the client, must keep
TCP port 3389 open. You may add the port as a port exception or enable the pre-
configured exception for Remote Desktop.
■ Credentials Users must belong to the Administrators or Remote Desktop
Users group to successfully connect to the server using Remote Desktop For
Administration.
! Exam Tip Examine group membership if access is denied when establishing a Remote
Desktop For Administration connection. In earlier versions of Terminal Server, you had to be a
member of the Administrators group to connect to the server, although special permissions
could be established manually. Now you can be a member of the Remote Desktop Users
groups on member servers and workstations. Domain controllers require you to be a member
of the Administrators group. In the “real world,” you can grant the right to log on through Ter-
minal Services to any user or group through Group Policy. You cannot increase the default
limit of two concurrent connections of Remote Desktop For Administration.
■ Policy Domain controllers will allow connections through Remote Desktop only
to administrators. You must configure the domain controller security policy to
allow connections for all other remote user connections.
■ Too many concurrent connections If sessions have been disconnected with-
out being logged off, the server might consider its concurrent connection limit
2-18 Chapter 2 Administering Microsoft Windows Server 2003
reached even though there are not two human users connected at the time. An
administrator might, for example, close a remote session without logging off. If
two more administrators attempt to connect to the server, only one will be allowed
to connect before the limit of two concurrent connections is reached. Use Terminal
Services Manager to view and log off any open, idle, and unnecessary sessions.
See Also For more on Terminal Services and the Remote Desktop client, see Lesson 5.
Practice: Installing Terminal Services and Running Remote
Administration
In this practice, you will configure Server01 to enable Remote Desktop For Administra-
tion connections. You will then optimize Server01 to ensure availability of the connec-
tion when the connection is not in use, and you will limit the number of simultaneous
connections to one. You then run a remote administration session from Server02 (or
another remote computer).
If you are limited to one computer for this practice, you can use the Remote Desktop
client to connect to Terminal Services on the same computer. Adjust references to a
remote computer in this practice to that of the local computer.
Exercise 1: Configure the Server for Remote Desktop
In this exercise, you will enable Remote Desktop connections, change the number of
simultaneous connections allowed to the server, and configure the disconnection set-
tings for the connection.
1. Log on to Server01 as Administrator.
2. Open the System properties from Control Panel.
3. On the Remote tab, enable Remote Desktop. Close System Properties.
4. Open the Terminal Services Configuration console from the Administrative Tools
folder.
5. On the tscc (Terminal Services ConfigurationConnections) MMC, right-click the
RDP-Tcp connection in the details pane, and then click Properties.
6. On the Network Adapter tab, change the Maximum Connections to 1.
7. On the Sessions tab, select both of the Override User Settings check boxes, and
make setting changes so that any user session that is disconnected, by any means,
or for any reason, will be closed in 15 minutes, that has no Active session time
limit, and that will be disconnected after 15 minutes of inactivity.
Lesson 3 Managing Servers with Remote Desktop For Administration 2-19
❑ End a disconnected session: 15 minutes
❑ Active session limit: never
❑ Idle session limit: 15 minutes
❑ When session limit is reached or connection is broken: Disconnect from session
This configuration will ensure that only one person at a time can be connected to
the Terminal Server, that any disconnected session will be closed in 15 minutes,
and that an idle session will be disconnected in 15 minutes. These settings are use-
ful to prevent a session that is disconnected or idle making the Remote Desktop
For Administration connection unavailable.
Exercise 2: Connect to the Server with the Remote Desktop Client
1. On Server02 (or another remote computer, or from Server01 itself if a remote com-
puter is not available), open Remote Desktop Connection (from the Accessories,
Communications program group) and connect to and log on to Server01.
2. On Server01, open the Tsadmin.exe (Terminal Services Manager) MMC. You
should see the remote session connected to Server01.
3. Leave the session idle for 15 minutes, or close the Remote Desktop client without
logging off the Terminal Server session, and the session should be disconnected
automatically in 15 minutes.
You have now logged on to Server01 remotely and can perform any tasks on the Server01
computer that you could accomplish while logged on interactively at the console.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. How many simultaneous connections are possible to a Terminal Server running in
Remote Administration mode? Why?
2. What would be the best way to give administrators the ability to administer a
server remotely through Terminal Services?
a. Don’t do anything; they already have access because they are administrators.
2-20 Chapter 2 Administering Microsoft Windows Server 2003
b. Remove the Administrators from the permission list on the Terminal Server
connection, and put their administrator account in the Remote Desktop For
Administration Group.
c. Create a separate, lower-authorization user account for Administrators to use
daily, and place that account in the Remote Desktop For Administration
Group.
3. What tool is used to enable Remote Desktop on a server?
a. Terminal Services Manager
b. Terminal Services Configuration
c. System properties in Control Panel
d. Terminal Services Licensing
Lesson Summary
Administrators and members of the Remote Desktop Users group have the ability to
connect to a server using Remote Desktop Connection. Terminal Services is installed
on Windows Server 2003 by default and allows up to two Remote Desktop For Admin-
istration connections simultaneously. The Remote Desktop Connection client, a default
component of Windows XP and Windows Server 2003, can be installed on any 32-bit
Windows platform from the Windows Server 2003 installation CD or (after sharing the
directory) from any computer running Windows Server 2003. Configuration of Remote
Desktop For Administration connections is accomplished through settings on the client
(Remote Desktop Connection) and server (Terminal Services Configuration). Key set-
tings for the connections can be overridden by the server.
Lesson 4 Using Remote Assistance 2-21
Lesson 4: Using Remote Assistance
Computer users, particularly users without much technical expertise, often have con-
figuration or usage issues that are difficult for a support professional or even a friend
or family member to diagnose and fix over the telephone. Remote Assistance provides
a way for users to get the help they need and makes it easier and less costly for cor-
porate help desks to assist their users.
After this lesson, you will be able to
■ Enable a computer to accept requests for Remote Assistance
■ Use one of the available methods to request and establish a Remote Assistance session
Estimated lesson time: 30 minutes
Introducing Remote Assistance
With Remote Assistance, available on Windows Server 2003 and Windows XP, an
administrator or support representative can connect remotely to a user’s computer, chat
with the user, and either view all the user’s activities or take control of the keyboard
and mouse.
Note In Microsoft interfaces and documentation, the person connecting to a client using
Remote Assistance is referred to as an expert or a helper.
Remote Assistance can eliminate the need for administrative personnel to travel to a
user’s location for any of the following reasons:
■ Technical support A system administrator or help desk operator can use
Remote Assistance to connect to a remote computer to modify configuration
parameters, install new software, or troubleshoot user problems.
■ Troubleshooting By connecting in Read-Only mode, an expert can observe a
remote user’s activities and determine whether improper procedures are the
source of problems the user is experiencing. The expert can also connect in inter-
active mode to try to re-create the problem or to modify system settings to resolve
it. This is far more efficient than trying to give instructions to inexperienced users
over the telephone.
■ Training Trainers and help desk personnel can demonstrate procedures to
users right on their systems without having to travel to their locations.
2-22 Chapter 2 Administering Microsoft Windows Server 2003
Configuring Remote Assistance
To receive remote assistance, the computer running Windows Server 2003 or Windows XP
must be configured to use the Remote Assistance feature in one of the following ways:
■ Using system properties Open System from Control Panel and click the Remote
tab. Then select the Turn On Remote Assistance And Allow Invitations To Be Sent
From This Computer check box.
Note By clicking the Advanced button in the Remote tab in the System Properties dialog
box, the user can specify whether to let the expert take control of the computer or simply view
activities on the computer. The user can also specify the amount of time that the invitation for
remote assistance remains valid.
■ Using group policies In a local or domain-based GPO, navigate to Computer
Configuration, Administrative Templates, System, Remote Assistance, and enable
the Solicited Remote Assistance policy.
Note The Solicited Remote Assistance policy also enables you to specify the degree of con-
trol the expert receives over the client computer, the duration of the invitation, and the
method for sending e-mail invitations.
Creating an Invitation for Assistance
To receive remote assistance, a client must issue an invitation and send it to a particular
expert. The client can send the invitation to the expert using Microsoft Windows Mes-
senger or e-mail, or he or she can send it as a file. Figure 2-6 shows the screen in Help
And Support Center used to invite someone for assistance.
Lesson 4 Using Remote Assistance 2-23
f02nw06
Figure 2-6 The Remote Assistance invitation screen in the Help And Support Center
Security Alert If the user chooses to send an e-mail or file request for Remote Assis-
tance, a password will be required as a shared secret for the Remote Assistance session.
The user should set a strong password and let the expert know what the password is in a
separate communication such as a telephone call or secure e-mail.
To use the Windows Messenger service for your Remote Assistance connection, you
must have the expert’s Windows Messenger user name in your contact list. Windows
Messenger will display the expert’s status as online or offline. Figure 2-7 illustrates
making a request for Remote Assistance using Windows Messenger.
f02nw07
Figure 2-7 Making a request for Remote Assistance
Note The indicator of online status in the Remote Assistance help window is not dynamic;
you must therefore refresh the screen to see an accurate status update.
2-24 Chapter 2 Administering Microsoft Windows Server 2003
For a successful request through e-mail, both computers must be using a Messaging
Application Programming Interface (MAPI)–compliant e-mail client.
As a third option, you can save the invitation as a file and transfer that file to the expert
through removable storage media or as an e-mail attachment, in which case the
requirement for MAPI e-mail clients is removed.
When a user initiates an invitation for Remote Assistance, the client sends an encrypted
ticket based on XML to the expert, who is prompted to accept the invitation.
Accepting an Invitation for Assistance
On accepting an invitation to provide Remote Assistance, the expert can begin to con-
nect to the remote computer. The user is notified that the expert is establishing a con-
nection and is prompted to confirm the Remote Assistance session. Then the expert is
able to view the remote computer’s session directly. The expert and user can chat
online to solve the user’s problem and files can be transferred. If the expert requests
control, and if configuration allows the expert to take control, the user is again
prompted to confirm the request.
Note Remote Assistance does not provide a mechanism through which administrators can
“spy” on a user session. Any connection by the expert must be confirmed by the user.
Offering Remote Assistance to a User
You can also configure Remote Assistance so that you can initiate troubleshooting
without receiving an invitation from the user. This highly useful option enables support
personnel to initiate Remote Assistance sessions while responding to a user’s help desk
call without requiring the user to send an invitation.
To support this workflow, you must enable the Offer Remote Assistance Local Group
Policy setting on the target (user’s) local computer. The policy setting is located in the
Computer Configuration, Administrative Templates, System, Remote Assistance con-
tainer and is labeled Offer Remote Assistance. Enable the policy and specify the indi-
vidual user accounts for the helpers who are allowed to offer Remote Assistance
without first receiving an invitation. Enter the accounts in the form domainusername
and be sure that the helpers are members of the local Administrators group on com-
puters to which they will establish Remote Assistance connections.
Tip The Offer Remote Assistance policy enables you to specify the names of users or
groups that can function as experts and choose whether those experts can perform tasks or
just observe.
Lesson 4 Using Remote Assistance 2-25
A helper can now initiate Remote Assistance to a user’s computer, providing that the
credentials supplied match those of a helper defined in the target computer’s policy. To
offer remote assistance without an invitation, open the Help And Support Center, click
Tools, and then click Help And Support Center Tools. Next, click Offer Remote Assis-
tance. Figure 2-8 illustrates the Help And Support Center Tools interface. Type the
name or IP address of the target computer and then click Connect. If several users are
logged on, choose a user session. Then click Start Remote Assistance.
f02nw08
Figure 2-8 The Help And Support Center Tools
The user receives a pop-up box showing that the help desk person is initiating a
Remote Assistance session. The user accepts the offer of assistance, and Remote Assis-
tance can proceed.
Securing Remote Assistance
Because an expert offering remote assistance to another user can perform virtually any
activity on the remote computer that the local user can, this feature can be a significant
security hazard. An unauthorized user who takes control of a computer using Remote
Assistance can cause almost unlimited damage. However, Remote Assistance is
designed to minimize the dangers. Some protective features of Remote Assistance are
the following:
■ Invitations No person can connect to another computer using Remote Assis-
tance unless that person has received an invitation from the client. Clients can
configure the effective life spans of their invitations in minutes, hours, or days to
prevent experts from attempting to connect to the computer later.
■ Interactive connectivity When an expert accepts an invitation from a client
and attempts to connect to the computer, a user must be present at the client
2-26 Chapter 2 Administering Microsoft Windows Server 2003
console to grant the expert access. You cannot use Remote Assistance to connect
to an unattended computer.
■ Client-side control The client always has ultimate control over a Remote
Assistance connection. The client can terminate the connection at any time by
pressing the ESC key or by clicking Stop Control (ESC) in the client-side Remote
Assistance page.
■ Remote control configuration Using the System Properties dialog box or
Remote Assistance group policies, users and administrators can specify whether
experts are permitted to take control of client computers. An expert who has read-
only access cannot modify the computer’s configuration in any way using Remote
Assistance. The group policies also enable administrators to grant specific users
expert status so that no one else can use Remote Assistance to connect to a client
computer, even with the client’s permission.
Firewall Constraints to Remote Assistance
Remote Assistance runs on top of Terminal Services technology, which means it must
use the same port used by Terminal Services: TCP port 3389. Remote Assistance will
not work when outbound traffic from port 3389 is blocked. In addition, other excep-
tions must be made. In Windows XP, the Windows Firewall has a preconfigured excep-
tion for Remote Assistance that you can enable. To configure the exceptions on
Windows Server 2003 or using Group Policy, enable the following exceptions:
■ TCP Port 135
■ %WINDIR%SYSTEM32Sessmgr.exe
■ %WINDIR%PCHealthHelpCtrBinariesHelpsvc.exe
■ %WINDIR%PCHealthHelpCtrBinariesHelpctr.exe
In addition, there are several other firewall-related concerns, particularly in relation to
Network Address Translation (NAT).
■ Remote Assistance supports Universal Plug and Play (UPnP) to Traverse Network
Address Translation devices. This is helpful on smaller, home office networks, as
Windows XP Internet Connection Sharing (ICS) supports UPnP. However, Windows
2000 ICS does not support UPnP.
! Exam Tip Watch for questions that use Windows 2000 ICS for remote assistance from a
big, corporate help desk to a small satellite office. Because Windows 2000 ICS does not sup-
port UPnP, Remote Assistance problems will abound.
■ Remote Assistance will detect the Internet IP address and TCP port number on the
UPnP NAT device and insert the address into the Remote Assistance encrypted
Lesson 4 Using Remote Assistance 2-27
ticket. The Internet IP address and TCP port number will be used to connect
through the NAT device by the helper or requester workstation to establish a
Remote Assistance session. The Remote Assistance connection request will then
be forwarded to the client by the NAT device.
■ Remote Assistance will not connect when the requester is behind a non-UPnP NAT
device when e-mail is used to send the invitation file. When sending an invitation
using Windows Messenger, a non-UPnP NAT device will work if one client is
behind a NAT device. If both the helper and requester computers are behind non-
UPnP NAT devices, the Remote Assistance connection will fail.
If you are using a software-based personal firewall or NAT in a home environment, you
can use Remote Assistance with no special configurations.
Note The Windows Messenger Service itself relies upon port 1863 being open.
Practice: Using Remote Assistance through Windows Messenger
This practice requires either a partner or a second computer for establishing the
Remote Assistance session. Server01 and Server02 should have Windows Messenger
installed and configured with two distinct accounts. If you are limited to a single com-
puter for this practice, you may establish a Remote Assistance session using two sepa-
rate Windows Messenger accounts configured on the same computer, but you will not
be able to perform screen control.
1. From Server02 (or another computer), open Windows Messenger and log on to
your Messenger Account #2.
2. From the Windows Messenger logged on as Messenger Account #1, choose Ask
For Remote Assistance from the Actions menu.
3. In the Ask for Remote Assistance dialog box, choose the Messenger Account #2,
and then click OK.
4. There will now be a sequence of requests and acknowledgments between the two
Windows Messenger Applications. Choose Accept or OK in each query to estab-
lish the Remote Assistance session.
5. Initially, the Remote Assistance session is in Screen View Only mode. To take con-
trol of the novice’s computer, you must select Take Control at the top of the
Remote Assistance window. The novice user must Accept your attempt to take
over the computer.
Note Either the novice or expert can end control or disconnect the session at any time.
2-28 Chapter 2 Administering Microsoft Windows Server 2003
Whether or not the expert takes over the novice’s computer, screen view, file transfer,
and live chat are enabled.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. How is Remote Assistance like Remote Desktop For Administration? How is it
different?
2. What are the benefits of Remote Assistance?
3. Which of the following are firewall-related constraints relating to Remote Assistance?
a. Port 3389 must be open
b. NAT cannot be used
c. Internet Connection Sharing is not possible
d. You cannot use Remote Assistance across a Virtual Private Network (VPN)
Lesson Summary
Remote Assistance is a mutual arrangement: the user can ask an expert for help or, if
properly configured through Group Policy, the expert can initiate a help session. In
either case, the user must actively agree to the establishment of the session and can
always give to and remove control of the user’s desktop from the expert. At no time
can the expert take control of the user’s desktop unannounced. Remote Assistance is
built upon Terminal Services and uses the interface of the help system and Windows
Messenger to allow for session initiation, chat, screen viewing, screen control, and file
transfer. The technology of Terminal Services and Remote Assistance is so closely tied
that both services use the same network port, 3389, which must be open through any
firewall for the Remote Assistance session to succeed.
Lesson 5 Terminal Server 2-29
Lesson 5: Terminal Server
In Lesson 3, you learned how to use Terminal Services, specifically Remote Desktop
For Administration, to connect to a server session from a remote client. You learned
that Remote Desktop For Administration is installed on every server running Windows
Server 2003 by default and that, once it is enabled using the System application in Con-
trol Panel, a server will support two concurrent connections from users who belong to
the Rem3ote Desktop Users group.
Windows Server 2003 Terminal Services also supports providing applications to multi-
ple users running concurrent sessions. This feature, similar to the Terminal Services
Application Server mode of Windows 2000 Server, is now called Terminal Server. In
this lesson, you will learn about Terminal Server and the unique issues related to sup-
porting and troubleshooting a Terminal Server environment.
After this lesson, you will be able to
■ Install Terminal Server to support multiuser applications
■ Deploy the Remote Desktop Connection client
■ Configure and manage remote desktop sessions
■ Troubleshoot Terminal Server
Estimated lesson time: 30 minutes
Installing and Configuring a Terminal Server Environment
There are several key considerations related to the deployment of a Terminal Server
environment.
The Terminal Server Component
Terminal Server can be installed by using the Add/Remove Windows Components Wiz-
ard, which is found in Add/Remove Programs, or by choosing the Configure Your
Server Wizard from the Manage Your Server page. It is best practice to configure stand-
alone member servers as terminal servers, not as domain controllers. Hardware recom-
mendations can be found in the Help And Support Center.
Applications
Because applications on a terminal server will be provided to multiple users, perhaps
concurrently, certain registry keys, files, and folders must be installed on a terminal
server differently from how they would be installed on a server that is not a terminal
server. Always use the Add/Remove Programs tool in Control Panel to install an applica-
tion on a terminal server. Add/Remove Programs will automatically switch the terminal
2-30 Chapter 2 Administering Microsoft Windows Server 2003
server into installation mode prior to starting the application’s setup routine. While in
installation mode, the terminal server manages the configuration of the application
appropriately so that the application can run in multiuser mode.
Occasionally, an application, patch, or other installation-related process cannot be ini-
tiated by using Add/Remove Programs. For example, a vendor might provide an
online update capability for its application, and such a capability cannot be started
from Add/Remove Programs. In such cases, open the command shell and use the
Change User/Install command prior to invoking the installation or patch process.
Once the process has completed, use the Change User/Execute command. Also note
that some applications require compatibility scripts to modify their installation behav-
ior on a terminal server.
It is best practice to install Terminal Server prior to installing any applications that will
be run in multiuser mode. Similarly, prior to removing Terminal Server from a server,
you should uninstall all applications that were installed in multiuser mode. If you must
install additional applications on an existing terminal server, be sure to reset (log off)
any current user sessions using Terminal Server Connections and to disable new con-
nections by typing change logon /disable on the command line. Once applications
have been installed, type change logon /enable on the command line to allow new
connections once again. The Remote tab of System Properties, shown in Figure 2-9,
will also allow you to enable and disable Terminal Services connections.
F02nw09
Figure 2-9 The Remote tab of System Properties
When installing Terminal Server, you will be given the choice of Full Security and
Relaxed Security. Full Security, the default, protects certain operating system files, reg-
istry keys, and shared program files. Older applications might not function in this more
secure configuration, at which point you might choose Relaxed Security. The setting
can be changed at any time using the Server Settings in the Terminal Services Config-
uration console, shown in Figure 2-10.
Lesson 5 Terminal Server 2-31
F02nw10
Figure 2-10 Server Settings in the Terminal Services Configuration console
Many administrators misunderstand the use of the Terminal Services Home Folder. This
setting, which can be configured as part of the user account, as shown in Figure 2-11,
or through Group Policy, determines the location of a folder that is used by Terminal
Services to store user-specific files for multiuser applications. It does not affect the stor-
age location for user data files. By default, the Terminal Services Home Folder is cre-
ated as a folder called Windows in the user’s profile. To manage where user data is
stored, configure the user’s standard Home Folder setting in the Profile tab of the user
account, or use the best practice of redirecting the My Documents folder.
F02nw11
Figure 2-11 The Terminal Services Home Folder setting of a user account
Installation of the Remote Desktop Connection Client
The Remote Desktop Connection client (Mstsc.exe) is installed by default on all comput-
ers running Windows Server 2003 and Windows XP. The client supports all 32-bit Win-
dows platforms, and can be installed with Group Policy on Windows 2000 systems, or
with other software deployment methods on earlier platforms. Once installed, the client
can be tricky to locate in the Start menu. Look in the Accessories program group under
Accessories, and then create a shortcut to the client in a more accessible location.
2-32 Chapter 2 Administering Microsoft Windows Server 2003
Licensing
After a 120-day evaluation period, connections to a computer running Terminal Server
will not be successful unless the terminal server can obtain a client license from a Ter-
minal Server License Server. Therefore, as part of your Terminal Server deployment,
you must install a Terminal Server License Server, preferably on a server that is not a
terminal server.
Use Add/Remove Programs to install Terminal Server Licensing. You will be asked
whether the server should be an Enterprise License Server or a Domain License Server.
An Enterprise License Server is the most common configuration, and the server can
provide licenses to terminal servers in any Windows 2000 or Windows Server 2003
domain within the forest. Use a Domain License Server when you want to maintain a
separate license database for each domain or when terminal servers are running in a
workgroup or a Microsoft Windows NT 4 domain.
Once installed, Terminal Server Licensing is managed with the Terminal Server Licens-
ing console in Administrative Tools. The first task you will perform is activating the Ter-
minal Server License Server by right-clicking the Terminal Server License Server and
choosing Activate Server. Once the server has been activated, client license packs must
be installed. The Help And Support Center includes detailed instructions for this pro-
cess. Terminal Server Licensing supports two types of client access licenses (CALs): Per
Device and Per Session. Both types of CALs can be managed by the same Terminal
Server License Server.
Note Terminal Server Licensing is maintained separately from server and client access
licenses (CALs) for Windows Server 2003. Terminal Server CALs are licenses for the connec-
tion to a user session on a terminal server; you must still consider licensing requirements for
applications that users access within their session. Consult the applications’ End User
License Agreements (EULAs) to determine appropriate licensing for applications hosted on a
terminal server.
Managing and Troubleshooting Terminal Server
Several tools exist that can configure terminal servers, Terminal Services user settings,
Terminal Services connections, and Terminal Services sessions. These include Group
Policy Editor, Terminal Services Configuration, Active Directory Users And Computers,
and the Remote Desktop Connection client itself. This section will help you understand
the use of each tool, and the most important configuration settings, by examining the
creation, use, and deletion of a user session.
Lesson 5 Terminal Server 2-33
Points of Administration
There are several processes that occur as a user connects to a terminal server; and at
each step, there are opportunities to configure the behavior of the connection.
The Remote Desktop Connection client allows 32-bit Windows platforms to connect to
a terminal server using the Remote Desktop Protocol (RDP). The client has been greatly
improved over earlier versions of the Terminal Services client and now includes a wider
variety of data redirection types (including file system, serial port, printer, audio, and
time zone) and supports connections in up to 24-bit color. The client includes numer-
ous settings that configure the connection and the user’s experience. Some of those set-
tings are shown in Figure 2-12. Settings are saved Remote Desktop Connection (.rdp)
files that can easily be opened for future connections or distributed to other users as a
connection profile. Settings in the .rdp file or the Remote Desktop Connection client
affect the current user’s connection to the specified terminal server.
F02nw12
Figure 2-12 The Remote Desktop Connection client
When a user connects to a terminal server, the server will examine the Terminal Ser-
vices properties of the user’s account to determine certain settings. If Terminal Services
user accounts are stored on the terminal server, the Local Users and Groups snap-in
will expose Terminal Services settings in the Properties of user accounts. More com-
monly, user accounts are in Active Directory directory service, in which case the Active
Directory Users And Computers snap-in exposes Terminal Services settings in the Envi-
ronment, Remote Control, and Terminal Services Profile tabs within the user properties
dialog box, as shown previously in Figure 2-11. Settings in the user account will over-
ride settings in the Remote Desktop client.
A client connects to the terminal server by specifying the server’s name or IP address.
The terminal server receives the connection request through the specified network
adapter. This connection is represented by a connection object, which is visible in the
2-34 Chapter 2 Administering Microsoft Windows Server 2003
Terminal Services Configuration console, as shown in Figure 2-13. The connection
object’s properties configure settings that affect all user connections through the net-
work adapter. Settings in the connection will override client requested settings and set-
tings in the user account.
F02nw13
Figure 2-13 Terminal Services Configuration
! Exam Tip A terminal server’s RDP-Tcp connection properties, accessible through Terminal
Services Configuration, will override client and user account settings for all user sessions
through the connection on that individual terminal server.
Windows Server 2003 Group Policy includes numerous computer-based and user-
based policies to control Terminal Services. Configurations specified by GPOs will
override settings in the Remote Desktop Connection client, in the user account, or on
the RDP-Tcp connections of terminal servers. Of course, those settings will apply only
to the users or computers within the scope of the organizational unit (OU) to which the
GPO is linked. In an environment consisting only of terminal servers running one of
the Windows Server 2003 family operating systems, Group Policy will enable Terminal
Services configuration with the least administrative effort. Terminal Services group poli-
cies do not apply to terminal servers running earlier versions of Windows.
Once a user session has been enabled, the Terminal Services Manager administrative
tool can be used to monitor users, sessions, and applications on each terminal server.
Terminal Services Manager can also be used to manage the server and to connect to,
disconnect from, or reset user sessions or processes.
Before continuing the examination of Terminal Server configuration options and tools,
take a moment to memorize the order of precedence for configuration settings:
1. Computer-level group policies. Most Terminal Services configuration can be set by
GPOs linked to an OU in which terminal server computer objects are created.
These policies override settings made with any other tool.
Lesson 5 Terminal Server 2-35
2. User-level group policies.
3. Configuration of the terminal server or the RDP-Tcp connection using the Terminal
Services Configuration tool. Although this tool is server- and connection-specific,
and therefore cannot specify a single configuration as Group Policy can, this tool
can configure Windows 2000 terminal servers. In addition, there are times when a
configuration between terminal servers or between connections should be differ-
ent. Terminal Services Configuration is the tool to manage such a scenario.
4. User account properties configured with the Active Directory Users And Comput-
ers snap-in.
5. Remote Desktop Connection client configuration.
Connection Configuration
A user’s ability to connect and log on to a terminal server is determined by a number
of factors, each of which, if not functioning properly, produces a unique error message:
■ The connection on the terminal server must be accessible. If the client cannot
reach the server using TCP/IP, or if the terminal server’s RDP-Tcp connection is
disabled, a particularly uninformative error message appears that indicates that the
client cannot connect to the server.
Note If you use Windows Firewall, or any other firewall, be sure to open TCP port 3389.
Windows Firewall includes a preconfigured exception for Remote Desktop that performs the
same configuration.
■ Remote Desktop must be enabled. The ability of a terminal server to accept new
connections can be controlled in the Remote tab of the System properties dialog
box or by using the change logon /disable and change logon /enable commands.
If logon has been disabled, an error message appears indicating that terminal
server sessions are disabled or that remote logons are disabled.
■ The server must have available connections. The properties of the connection—
the default RDP-Tcp connection, for example—determine the number of available
connections in the Network Adapter tab, as shown in Figure 2-14. If sufficient con-
nections are not available, an error message appears that indicates that a network
error is preventing connection.
2-36 Chapter 2 Administering Microsoft Windows Server 2003
F02nw14
Figure 2-14 The Network Adapter tab of the RDP-Tcp Properties dialog box
■ Encryption must be compatible. The default allows any client to connect to a ter-
minal server without regard to its encryption capability. If you modify the encryp-
tion requirements for a connection by using the Encryption Level list in the
General tab of the connection properties, as shown in Figure 2-15, clients that are
not capable of that encryption mode will not be allowed to connect.
F02nw15
Figure 2-15 The General tab of the RDP-Tcp Properties dialog box
■ The user must have sufficient connection permissions. As shown in Figure 2-16,
the Remote Desktop Users group has User Access permissions, which gives the
group sufficient permissions to log on to the server. The access control list (ACL)
of the connection can be modified to control access in configurations that differ
from the default. Refer to the Help And Support Center for more information. If a
user does not have sufficient permission to the connection, an error message will
appear that indicates that the user does not have access to the session.
Lesson 5 Terminal Server 2-37
F02nw16
Figure 2-16 The Permissions tab of the RDP-Tcp Properties dialog box
■ The user must have the user logon right to log on to the terminal server. Windows
Server 2003 separates the right required to log on locally to a server from the right
required to log on to a server using a remote desktop connection. The user rights
Allow Log On Through Terminal Services, as shown in Figure 2-17, and Deny Log
On Through Terminal Services can be used to manage this right, using either local
policy or Group Policy. On member servers, the local Administrators and Remote
Desktop Users groups have the right to log on through Terminal Services. On
domain controllers, only Administrators have the right by default. If a user does
not have sufficient logon rights, an error message will appear that indicates that
the policy of the terminal server does not allow logon.
F02nw17
Figure 2-17 The Allow Log On Through Terminal Services user right
■ The user must belong to the correct group or groups. Assuming you have man-
aged connection permissions and the right to log on through Terminal Services by
assigning rights and permissions to a group, the user attempting to connect to the
terminal server must be in that group. With the default configuration of Terminal
2-38 Chapter 2 Administering Microsoft Windows Server 2003
Server on a member server, users must be members of the Remote Desktop Users
group to connect to a terminal server.
■ The Allow Logon To Terminal Server check box must be selected. The user
account’s Terminal Services Profile tab, as shown in Figure 2-11, indicates that the
user is allowed to log on to a terminal server. If this setting is disabled, the user
will receive an error message indicating that the interactive logon privilege has
been disabled. This error message is easy to confuse with insufficient user logon
rights; however, in that case the error message indicates that the local policy of the
server is not allowing logon.
Note A terminal server has one RDP-Tcp connection by default and can have only one con-
nection object per network adapter, but if a terminal server has multiple adapters, you can
create connections for those adapters. Each connection maintains properties that affect all
user sessions connected to that server connection.
Device Redirection
Once a user has successfully connected, Windows Server 2003 and the Remote Desk-
top client provide a wide array of device redirection options, including:
■ Audio redirection, which allows audio files played within the Terminal Server ses-
sion to be played by the user’s PC. This feature is specified on the Local Resources
tab of the Remote Desktop Connection client, as shown in Figure 2-12. However,
audio redirection is disabled by default in the Client Settings tab of the RDP-Tcp
Properties dialog box, as shown in Figure 2-18. Audio redirection can be specified
by a GPO.
F02nw18
Figure 2-18 The RDP-Tcp Properties dialog box Client Settings tab
■ Drive redirection, which allows the user to access drives that are local to the user’s
PC from within the Remote Desktop session. Local drives are visible in My Com-
Lesson 5 Terminal Server 2-39
puter under the Other group, as shown in Figure 2-19. This option is disabled by
default, and can be enabled in the Local Resources tab of the Remote Desktop cli-
ent. Terminal Server Configuration can override the client setting and disable drive
redirection from the properties of the connection. These settings can also be spec-
ified by Group Policy. The user account’s Connect Client Drives At Logon setting
does not affect drive redirection using the Remote Desktop Connection client; it is
meant to manage drive redirection for Citrix’s Integrated Computing Architecture
(ICA) clients.
F02nw19
Figure 2-19 My Computer in a Remote Desktop session showing redirected client drives
■ Printer redirection, which allows the user to access printers that are local to the
user’s workstation, as well as network printers that are installed on the user’s
workstation, from within the Remote Desktop session. The Printers And Faxes
folder will display printers that are installed on the terminal server as well as the
client’s redirected printers, as shown in Figure 2-20.
F02nw20
Figure 2-20 The Printers And Faxes folder shows a client’s redirected printer
Like drive redirection, printer redirection is specified in the Local Resources tab of
the Remote Desktop Connection client. Printer redirection can be disabled by
properties of the RDP-Tcp connection. Printer redirection will also be disabled if
2-40 Chapter 2 Administering Microsoft Windows Server 2003
the Connect Client Printers At Logon setting is not enabled in the user account
properties, as shown in Figure 2-21. Selecting this option in the user account does
not cause printer redirection; the client must specify redirection in the Local
Resources tab. But if disabled, the user account setting will override the client set-
ting. The user account properties also provide a Default To Main Client Printer set-
ting which, if enabled while printer redirection is in effect, will set the default
printer in the Remote Desktop session to the same printer set as default on the
user’s workstation. If the Default To Main Client Printer setting is disabled, the
Remote Desktop session will use the default printer of the terminal server com-
puter. Printer redirection settings can be specified by a GPO.
F02nw21
Figure 2-21 The Environment tab of a user’s properties dialog box
■ Serial Port redirection, which allows a user to launch an application within a ter-
minal server session that uses a device, such as a barcode reader, attached to the
serial port of the user’s workstation. This feature is also in the Local Resources tab
of the client and can be disabled in the properties of the RDP-Tcp connection.
Serial port redirection can be specified by a GPO.
■ LPT and COM port mapping, which allows a user to install a printer within the
Terminal Server session that maps to a printer attached to an LPT or COM port on
the user’s workstation. This method of printer redirection is not necessary with
Windows Server 2003 and the Remote Desktop Connection client, which support
printer redirection in a much simpler way as described above. LPT and COM port
mapping is, however, still done by default. The RDP-Tcp connection properties
can disable port mapping, as can a GPO.
■ Clipboard mapping, which allows the user to copy and paste information between
a Remote Desktop session and the client’s workstation. This feature is enabled by
default in the Remote Desktop Connection client and cannot be changed within
the client’s user interface (UI). The RDP-Tcp connection properties can disable
clipboard mapping, as can a GPO.
Lesson 5 Terminal Server 2-41
Managing Sessions and Processes
The Terminal Services Manager console provides the capability to monitor and control
sessions and processes on a terminal server. You can disconnect, log off, or reset a user
or session, send a message to a user, or end a process launched by any user. Task Man-
ager can also be used to monitor and end processes; just be certain to select the Show
Processes From All Users check box. If a terminal server’s performance is lethargic, use
Terminal Server Manager or Task Manager to look at the processes being run by all
users to determine if one process has stopped responding and is consuming more than
its fair share of processor time.
Managing User Sessions
A variety of settings determine the behavior of a user session that has been active, idle,
or disconnected for a time. These settings can be configured in the Sessions tab of the
RDP-Tcp Properties dialog box in the Terminal Services Configuration console, shown
in Figure 2-22. The settings can also be configured with Group Policy.
F02nw22
Figure 2-22 The Sessions tab of the RDP-Tcp Properties dialog box
Load-Balancing Terminal Servers
In previous implementations of Terminal Services, it was difficult to load-balance ter-
minal servers. Windows Server 2003 Enterprise and Datacenter Editions introduce the
ability to create server clusters, which are logical groupings of terminal servers. When
a user connects to the cluster, the user is directed to one server. If the user’s session is
disconnected and the user attempts to reconnect, the terminal server receiving the con-
nection will check with the Session Directory to identify which terminal server is host-
ing the disconnected session and will redirect the client to the appropriate server.
2-42 Chapter 2 Administering Microsoft Windows Server 2003
To configure a terminal server cluster, you need
■ A load-balancing technology such as Network Load Balancing (NLB) or DNS
round-robin. The load-balancing solution will distribute client connections to each
of the terminal servers.
■ A Terminal Services Session Directory. You must enable the Terminal Services Ses-
sion Directory, which is installed by default on Windows Server 2003 Enterprise and
Datacenter Editions, using the Services console in Administrative Tools. It is best
practice to enable the session directory on a server that is not running Terminal
Server. The Terminal Services Session Directory maintains a database that tracks
each user session on servers in the cluster. The computer running the session direc-
tory creates a Session Directory Computers local group, to which you must add the
computer accounts of all servers in the cluster.
■ Terminal server connection configuration. Finally, you must direct the cluster’s
servers to the session directory. This process involves specifying that the server is
part of a directory, the name of the session directory server, and the name for the
cluster, which can be any name you wish as long as the same name is specified for
each server in the cluster. These settings can be specified in the Server Settings
node of Terminal Server Configuration, or they can be set using a GPO applied to
an OU that contains the computer objects for the cluster’s terminal servers.
When a user connects to the cluster, the following process occurs:
1. When the user logs on to the terminal server cluster, the terminal server receiving
the initial client logon request sends a query to the session directory server.
2. The session directory server checks the username against its database and sends
the result to the requesting server as follows:
❑ If the user has no disconnected sessions, logon continues at the server host-
ing the initial connection.
❑ If the user has a disconnected session on another server, the client session is
passed to that server and logon continues.
❑ When the user logs on to a new or disconnected session, the session directory
is updated.
! Exam Tip Be sure to know the pieces that are required to establish a terminal server clus-
ter. Should you decide to implement a terminal server cluster within your enterprise, you can
refer to the Help And Support Center for detailed instructions for doing so.
Lesson 5 Terminal Server 2-43
Remote Control
Terminal Server allows an administrator to view or take control of a user’s session. This
feature not only allows administrators to monitor user actions on a terminal server, but
also acts like Remote Assistance, allowing a help desk employee to control a user’s ses-
sion and perform actions that the user is able to see as well.
To establish remote control, both the user and the administrator must be connected to
terminal server sessions. The administrator must open the Terminal Server Manager
console from the Administrative tools group, right-click the user’s session, and choose
Control. By default, the user will be notified that the administrator wishes to connect to
the session and can accept or deny the request.
Important Remote Control is available only when using Terminal Server Manager within a
terminal server session. You cannot establish remote control by opening Terminal Server
Manager on your PC.
Remote control settings include the ability to remotely view and remotely control a ses-
sion, as well as whether the user should be prompted to accept or deny the adminis-
trator’s access. These settings can be configured in the user account properties in the
Remote Control tab, as shown in Figure 2-23, and can be configured by the properties
of the RDP-Tcp connection, which will override user account settings. Group Policy
can also be used to specify remote control configuration.
F02nw23
Figure 2-23 The Remote Control tab of a user’s properties dialog box
In addition to enabling remote control settings, an administrator must have permissions
to establish remote control over the terminal server connection. Using the Permissions
2-44 Chapter 2 Administering Microsoft Windows Server 2003
tab of the RDP-Tcp Properties dialog box, you can assign the Full Control permission
template or, by clicking Advanced, assign the Remote Control permission to a group, as
shown in Figure 2-24.
F02-24
Figure 2-24 The Remote Control permission
See Also For more information about implementing Terminal Server in a production envi-
ronment, be sure to read Microsoft Windows Server 2003 Terminal Services by Bernhard
Tritsch (Microsoft Press, 2004).
Practice: Preparing Terminal Server
In this practice, you will install Terminal Server on Server02, configure a user account
to enable Terminal Server logon, and configure device redirection. To perform this
practice, you will need a second computer installed with Windows Server 2003, named
Server02, and belonging to the contoso.com domain.
Exercise 1: Installing Terminal Server
1. Log on to Server02.
2. Open Add/Remove Programs from Control Panel.
3. Click Add/Remove Windows Components to open the Windows Components
Wizard.
4. Select the Terminal Server check box.
A Configuration Warning appears, reminding you that the Internet Explorer
Enhanced Security Configuration will restrict users’ Web access.
5. Click Yes, and then click Next.
A message appears discussing the installation of applications on a terminal server.
Lesson 5 Terminal Server 2-45
6. Click Next, ensure that Full Security is selected, and then click Next.
7. On the Terminal Server Setup page, select I Will Specify A License Server Within
120 Days, and then click Next.
8. Select Per User Licensing Mode and click Next.
The Configuring Components page appears while Terminal Server is installed.
9. Click Finish.
10. Restart Server02.
Exercise 2: Configuring Terminal Server Users
1. Log on to Server01 as Administrator.
2. Open Active Directory Users And Computers.
3. Create a user account in the Users container named Lorrin Smith-Bates.
You might already have an account for Lorrin Smith-Bates if you have worked
through lessons in other chapters. Write down the username and password
assigned to this account; you will be logging on as Lorrin Smith-Bates in the next
exercise.
4. Create a global security group account in the Users container named Contoso Ter-
minal Server Users.
5. Add Lorrin Smith-Bates to the Contoso Terminal Server Users group.
6. Add the Contoso Terminal Server Users group to the Print Operators group.
Because Lorrin is a user, he would not be able to log on to Server01, a domain
controller. For the purposes of this practice, Lorrin needs the right to log on locally
to Server01, and nesting his account in the Print Operators group is an easy way
to achieve that goal.
7. Log off of Server01.
8. Log on to Server02 as Administrator.
9. Click Start, right-click My Computer, and choose Manage.
10. Expand the Local Users And Groups snap-in in the console tree.
11. Select the Groups node.
12. Double-click Remote Desktop Users in the details pane.
13. Add the Contoso Terminal Server Users group as a member.
Exercise 3: Logging On to Terminal Server with Device Redirection
1. Log on to Server01 as Lorrin Smith-Bates.
2-46 Chapter 2 Administering Microsoft Windows Server 2003
2. Open Remote Desktop Connection from the All ProgramsAccessoriesCommuni-
cations program group.
3. In the Computer box, type server02.contoso.com and click Connect.
4. In the Remote Desktop session, log on to Server02 as Lorrin Smith-Bates.
5. Open My Computer and note that the drives shown are the drives on Server02.
6. In the Remote Desktop session, log off Server02.
7. Open Remote Desktop Connection again and click the Options button.
8. Click the Local Resources tab, select the Disk Drives check box, and click Connect.
9. A Security Warning appears. Click OK.
10. In the Remote Desktop session, log on to Server02 as Lorrin Smith-Bates.
11. Open My Computer, and note that you now see the drives on Server01 in the
group called Other.
12. In the Remote Desktop session, log off of Server02.
13. Do not log off of Server01. Log directly on to Server02 as Administrator.
14. On Server02, open the Terminal Services Configuration console from the Admin-
istrative Tools folder.
15. Select Connections in the console tree.
16. Double-click RDP-Tcp in the details pane.
17. In the Client Settings tab, select the Drive Mapping check box, and click OK to
close the RDP-Tcp Properties dialog box.
18. On Server01, still logged on as Lorrin, open Remote Desktop Connection.
19. Ensure that server02.contoso.com is entered as the computer and, in the Local
Resources tab, that the Disk Drives check box is still selected.
20. Click Connect, and log on to Server02 as Lorrin Smith-Bates. Click OK to close the
Security Warning message box.
21. Open My Computer.
Local drives are no longer redirected. The setting you configure in the properties
of the RDP-Tcp connection overrides client settings.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
Lesson 5 Terminal Server 2-47
1. You have enabled Remote Desktop connections on Server02, a member server in
the contoso.com domain. Terminal Server is installed on Server02. You want
Danielle Tiedt to be able to connect using the Remote Desktop Connection client.
What additional configuration must first be performed on Server02?
2. You have enabled Remote Desktop connections on Server01, a domain controller
in the contoso.com domain. Terminal Server is installed on Server01. You want
Terry Adams to be able to connect using the Remote Desktop Connection client.
Terry is a member of the Remote Desktop Users group on Server01. What addi-
tional configuration must first be performed for Terry to successfully connect?
3. Name three locations where you can configure Terminal Server settings that will
override settings on the Remote Desktop Connection client.
Lesson Summary
■ Terminal Server provides applications in a multiuser environment. Those appli-
cations must be installed using Add Or Remove Programs or the Change User
command.
■ For a user to successfully connect, Remote Desktop connections must be enabled
on the server, the server’s connection (for example, the RDP-Tcp connection) must
allow connections for a group to which the user belongs, the user must be in a
group that is granted the right Allow Logon Through Terminal Services, and the
user account must Allow Logon To Terminal Server. On a member server, all the
appropriate permissions are configured by default for the Remote Desktop Users
group, so you must simply enable Remote Desktop connections and add the user
to that group.
■ A domain controller’s security policy does not, by default, grant the Allow Logon
Through Terminal Services user right.
■ Various Terminal Server settings can be configured on the client, in the user
account, on the connection, or on the server. Most of these settings can addition-
ally be configured through Group Policy for terminal servers running Windows
Server 2003.
2-48 Chapter 2 Administering Microsoft Windows Server 2003
■ Windows Server 2003 and the Remote Desktop Connection client support device
redirection including audio devices, printers, and disks.
■ To load-balance terminal servers, you must configure a load-balancing technology
such as NLB or DNS round-robin, enable the Terminal Services Session Directory
on a server, add computer accounts for the servers to the directory server’s Session
Directory Computers local group, and configure the servers to belong to the clus-
ter through Terminal Server Configuration or Group Policy.
You can monitor and remotely control a user’s Terminal Services session by connecting
to the terminal server with the Remote Desktop Connection client, opening Terminal
Server Manager, right-clicking the user session, and choosing Remote Control.
Case Scenario Exercise
As part of the remote administration of your enterprise, your company has enabled
Remote Assistance on each computer. Your sales representatives travel frequently and
use laptops to perform their work while they travel.
On your internal network, you use Windows Messenger for spontaneous communica-
tion with your clients, and for Remote Assistance. However, you disallow Instant Mes-
senger traffic across the Internet by closing port 1863 at the firewall.
You want to perform Remote Assistance for your remote users, but cannot connect to
them with Windows Messenger to determine whether they are online.
Is Remote Assistance possible for your remote users? If so, how would you accomplish it?
Troubleshooting Lab
You are trying to connect to a server running Windows Server 2003 in your environ-
ment with a Remote Desktop Connection but consistently get the message shown in
Figure 2-25 when attempting to connect.
f02nw25
Figure 2-25 Error Logon Message when connecting to the Remote Desktop For Administration console
Lesson 5 Terminal Server 2-49
You have checked settings on the server and confirmed the following:
■ You are a member of the Remote Desktop Users group.
■ You are not a member of the Administrators group.
■ You are able to connect to share points on the computer running Terminal Server,
and the computer responds affirmatively to a ping.
What other settings will you check on the computer running Terminal Server to trou-
bleshoot this problem?
Chapter Summary
■ MMCs are the common, system tool interface in Windows Server 2003.
■ Snap-ins are individual tools that can be loaded into an MMC.
■ Some snap-ins can be used to configure remote computers; others are limited to
local computer access.
■ MMCs can be saved in either Author (full access) or User (limited access) modes.
The mode of an MMC does not empower or disable a user from being able to do
that which he or she has authorization and access to do through permission sets.
■ Remote Desktop For Administration allows for the same administration of a server
from a remote location as if logged on to the local console interactively.
■ Remote Desktop For Administration, for desktop operating systems, is available
only with Windows XP.
■ Remote Assistance is like Remote Desktop For Administration for the desktop,
allowing remote viewing and control of Windows XP desktop computers.
■ Remote Assistance will also work on a computer running Windows Server 2003.
■ Two users are required for Remote Assistance to be viable: one user at the target
desktop, and the expert helper at another computer. Both must agree on the con-
trol actions taken during the session, and the session can be ended by either party
at any time.
2-50 Chapter 2 Administering Microsoft Windows Server 2003
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice and review the “Further Reading” sections in Part 2 for pointers to more informa-
tion about topics covered by the exam objectives.
Key Points
■ MMCs are the containers for snap-ins.
■ Snap-ins can be used in either local or remote context but cannot be connected to
both the local and remote computers simultaneously.
■ Snap-ins can be combined in a single console to suit administrative preference.
■ MMCs can be saved in User mode to restrict their configuration, but the ability to
perform tasks with the tool is governed by permissions, not by limitations placed
on a particular MMC. If a user has sufficient privilege to administer a computer, the
user can create MMCs with any snap-in.
■ Remote Desktop For Administration requires permissions to attach with the Remote
Desktop client. By default, this permission is granted only to Administrators.
■ Remote Assistance is a two-way, agreed session. At no time can an expert take
unauthorized control of a user’s computer.
■ Port 3389, the same port used by Remote Desktop For Administration, must be
open at the firewall for Remote Assistance sessions to be established.
Key Terms
Remote Assistance vs. Remote Desktop For Administration Remote Assistance
allows a remote control session to be established from an expert user as invited by
a novice user. The credentials for authentication are supplied in the form of a
shared secret password created within the invitation by the novice. Remote Desk-
top For Administration involves only one user connected remotely to a computer
running the Terminal Server service and configured to allow Remote Desktop con-
nections by the user.
Microsoft Management Console (MMC) Remote Desktop For Administration Cre-
dentials and server configuration required for Remote Desktop For Administration
connections.
Questions and Answers 2-51
Questions and Answers
Page Lesson 1 Review
2-8
1. What is the default mode when you create an MMC?
The default mode for an MMC is Author mode.
2. Can a snap-in have focus on both the local computer and a remote computer
simultaneously?
No. Snap-ins can be configured to connect to the local computer, or a remote computer, but not
both simultaneously.
3. If you want to limit the access of a snap-in, how do you construct the MMC that
contains the snap-in?
Save the console in one of the User modes, depending on the level of limitation you want.
Page Lesson 2 Review
2-11
1. What credentials are required for administration of a remote computer using the
MMC?
You must have administrative credentials on the remote computer to perform remote
administration.
2. Can an existing MMC snap-in be changed from local to remote context, or must a
snap-in of the same type be loaded into the MMC for remote connection?
A snap-in’s context might be changed by accessing the properties of the snap-in. A snap-in does
not have to be reloaded to change its configuration.
3. Are all functions within a snap-in used on a local computer usable when con-
nected remotely?
No, not all functionality is available. The Device Manager component in the Computer Manage-
ment snap-in, for example, can be used only to view remote computer configurations; no
changes can be made to the remote computer’s device configuration.
Page Lesson 3 Review
2-19
1. How many simultaneous connections are possible to a Terminal Server running in
Remote Administration mode? Why?
Three; two remote connections and one at the console (but that’s not fair, is it?). Technically,
then, two is the limit because the application-sharing components are not installed with Termi-
nal Server configured in Remote Desktop mode for remote administration.
2. What would be the best way to give administrators the ability to administer a
server remotely through Terminal Services?
2-52 Chapter 2 Administering Microsoft Windows Server 2003
a. Don’t do anything; they already have access because they are administrators.
b. Remove the Administrators from the permission list on the Terminal Server
connection, and put their administrator account in the Remote Desktop For
Administration Group.
c. Create a separate, lower-authorization user account for Administrators to use
daily, and place that account in the Remote Desktop For Administration Group.
The correct answer is c. It is a best practice to log on using an account with minimal creden-
tials, then to launch administrative tools with higher-level credentials using Run As.
3. What tool is used to enable Remote Desktop on a server?
a. Terminal Services Manager
b. Terminal Services Configuration
c. System properties in Control Panel
d. Terminal Services Licensing
The correct answer is c.
Page Lesson 4 Review
2-28
1. How is Remote Assistance like Remote Desktop For Administration? How is it
different?
Remote Assistance allows for remote control of a computer as if the user were physically at the
console, as does a connection to a Terminal Server through Remote Desktop For Administration.
Remote Desktop For Administration is controlled solely by the directory of accounts, either local
or domain, that is configured for the Terminal Server connections on that computer. Remote
Assistance requires a “handshake” of sorts between the user and the expert helper.
2. What are the benefits of Remote Assistance?
The user does not have to have an expert on site to receive assistance. The difficulty of solving
a problem over the telephone is removed.
3. Which of the following are firewall-related constraints relating to Remote Assistance?
a. Port 3389 must be open.
b. NAT cannot be used.
c. Internet Connection Sharing is not possible.
d. You cannot use Remote Assistance across a Virtual Private Network (VPN).
The correct answer is a.
Page Lesson 5 Review
2-46
1. You have enabled Remote Desktop connections on Server02, a member server in
the contoso.com domain. Terminal Server is installed on Server02. You want
Questions and Answers 2-53
Danielle Tiedt to be able to connect using the Remote Desktop Connection client.
What additional configuration must first be performed on Server02?
Add Danielle Tiedt to the local Remote Desktop Users group on Server02.
2. You have enabled Remote Desktop connections on Server01, a domain controller
in the contoso.com domain. Terminal Server is installed on Server01. You want
Terry Adams to be able to connect using the Remote Desktop Connection client.
Terry is a member of the Remote Desktop Users group on Server01. What addi-
tional configuration must first be performed for Terry to successfully connect?
Configure a GPO, such as the Default Domain Controllers GPO, so that the user right Allow
Logon Through Terminal Services is configured and assigned to the Remote Desktop Users
group.
3. Name three locations where you can configure Terminal Server settings that will
override settings on the Remote Desktop Connection client.
The properties of user objects in Active Directory, the properties of the terminal server connec-
tion (for example, RDP-Tcp connection), and Terminal Services group policies.
Page Case Scenario Exercise
2-48
Is Remote Assistance possible for your remote users? If so, how would you accomplish it?
You must use one of the alternate methods of requesting Remote Assistance.
■ The E-Mail Method Send an e-mail to the expert through Help And Support Tools. When the
expert accesses the link in the e-mail, the expert will be able to establish a Remote Assis-
tance session.
■ File Method Create a Remote Assistance file through Help And Support Tools. E-mail the
file to the expert, or have the expert access it through a file share point. When the expert
accesses the link within the file, the expert will be able to establish a Remote Assistance
session.
In both methods, it is highly recommended that you create a password for the Remote Assis-
tance session, and give the expert the password in a secure fashion so that your Remote
Assistance session cannot be accessed by an unauthorized person.
Page Troubleshooting Lab
2-48
What other settings will you check on the computer running Terminal Server to trou-
bleshoot this problem?
It is likely that the Terminal Server in question is a domain controller, and that the Default
Domain Controller Group Policy has not been enabled to allow remote connections by the
Remote Administrative Users group. The Local Group Policy on domain controllers forbids non-
administrator remote connections, and must be changed. The easiest way to change the Local
Policy is to override it with a change to the Default Domain Controller Group Policy.
3 User Accounts
Exam Objectives in this Chapter:
■ Create and manage user accounts
■ Create and modify user accounts by using the Active Directory Users And Com-
puters Microsoft Management Console (MMC) snap-in
■ Create and modify user accounts by using automation
■ Import user accounts
■ Manage local, roaming, and mandatory user profiles
■ Troubleshoot user accounts
■ Diagnose and resolve account lockouts
■ Diagnose and resolve issues related to user account properties
■ Troubleshoot user authentication issues
Why This Chapter Matters
Before individuals in your enterprise can access the resources they require, you
must enable authentication of those individuals. Of course, the primary compo-
nent of that authentication is the user’s identity, often referred to as an account, in
Active Directory directory service. In this chapter, you will review and enhance
your knowledge related to the creation, maintenance, and troubleshooting of user
accounts and authentication.
Each enterprise, and each day, brings with it a unique set of challenges related to
user management. The properties you configure for a standard user account are
likely to be different from those you apply to the account of a help desk team
member, which are different still from those configured for the built-in Adminis-
trator account. Skills that are effective to create or modify a single user account
become clumsy and inefficient when you are working with masses of accounts,
such as when creating the accounts for newly hired employees.
To address a diverse sampling of account management scenarios effectively, we
will examine a variety of user management skills and tools, including the Active
Directory Users And Computers snap-in and powerful command-line utilities.
3-1
3-2 Chapter 3 User Accounts
Lessons in this Chapter:
■ Lesson 1: Creating and Managing User Objects . . . . . . . . . . . . . . . . . . . . . . . .3-3
■ Lesson 2: Creating Multiple User Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
■ Lesson 3: Managing User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32
■ Lesson 4: Securing and Troubleshooting Authentication . . . . . . . . . . . . . . . . 3-44
Before You Begin
This chapter presents the skills and concepts related to user accounts in Active Direc-
tory. This training kit presumes you have a minimum of 18 months’ experience and a
working knowledge of Active Directory, the MMC, and the Active Directory Users And
Computers snap-in. If you desire hands-on practice by using the examples and lab
exercises in the chapter, prepare the following:
■ A Microsoft Windows Server 2003 (Standard or Enterprise) computer installed as
Server01 and configured as a domain controller in the domain contoso.com
■ First-level organizational units (OUs): Administrative Groups, Employees, and
Security Groups
■ Global groups, in the Security Groups OU, called Sales Representatives and Sales
Managers
■ The Active Directory Users And Computers console or a customized console with
the Active Directory Users And Computers snap-in
Lesson 1 Creating and Managing User Objects 3-3
Lesson 1: Creating and Managing User Objects
Active Directory requires the verification of an individual’s identity—a process called
authentication—before that individual can access resources. The cornerstone of
authentication is the user’s identity, or account, with its user logon name, password,
and unique security identifier (SID). During logon, Active Directory authenticates the
user name and password entered by the user. The security subsystem can then build
the security access token that represents that user. The access token contains the user
account’s SID, as well as the SIDs of groups to which the user belongs. That token can
then be used to verify user rights assignments, including the right to log on locally to
the system, and to authorize access to resources secured by access control lists (ACLs).
A user’s identity is integrated into the Active Directory user object. The user object
includes not just the user’s name, password, and SID, but also contact information such
as telephone numbers and addresses; organizational information including job title,
direct reports and manager; group memberships; and configuration such as roaming
profile, terminal services, remote access, and remote control settings. This lesson will
review and enhance your understanding of user objects in Active Directory.
After this lesson, you will be able to
■ Create user objects in Active Directory using the Active Directory Users And Computers
snap-in
■ Configure user object properties
■ Understand important account options that are not self-explanatory based on their
descriptions
■ Modify properties of multiple users simultaneously
Estimated lesson time: 15 minutes
Creating User Objects with Active Directory Users And Computers
You can create a user object with the Active Directory Users And Computers snap-in.
Although you can create user objects in the root of the domain or any of the default
containers, it is best to create a user in an organizational unit, so that you can fully
leverage administrative delegation and Group Policy Objects (GPOs).
To create a user object, select the OU or container in which you want to create the
object, click the Action menu, then choose New and choose User. You must be a mem-
ber of the Enterprise Admins, Domain Admins, or Account Operators groups, or you
must have been delegated administrative permissions to create user objects in the con-
tainer. If you do not have sufficient permissions to create user objects, the New User
command will be unavailable to you.
3-4 Chapter 3 User Accounts
The New Object–User dialog box appears, as shown in Figure 3-1. The first page of the
New Object–User dialog box requests properties related to the user name. Table 3-1
describes the properties that appear on the first page of the dialog box.
f03nw01
Figure 3-1 The New Object–User dialog box
Table 3-1 User Properties on the First Page of the New Object–User Dialog Box
Property Description
First Name The user’s first name. Not required.
Initials The middle initials of the user’s name. Not required.
Last Name The user’s last name. Not required.
Full Name The user’s full name. If you enter values for the first or last name, the full
name property is populated automatically. However, you can easily mod-
ify the suggested value. The field is required.
The name entered here generates several user object properties, specifi-
cally CN (common name), DN (distinguished name), name, and dis-
playName. Because CN must be unique within a container, the name you
enter here must be unique relative to all other objects in the OU (or
other container) in which you create the user object.
User Logon Name The user principal name (UPN) consists of a logon name and a UPN suf-
fix which is, by default, the DNS name of the domain in which you cre-
ate the object. The property is required and the entire UPN, in the format
logon− name@UPN− suffix, must be unique within the Active Directory for-
est. A sample UPN would be someone@contoso.com.
The UPN can be used to log on to any Microsoft Windows system run-
ning Windows 2000, Windows XP, or Windows Server 2003.
You can modify the options available as a UPN suffix by opening the
properties of the Active Directory Domains And Trusts snap-in.
Lesson 1 Creating and Managing User Objects 3-5
Table 3-1 User Properties on the First Page of the New Object–User Dialog Box
Property Description
User Logon Name This logon name is used to log on from down-level clients, such as
(Pre–Windows 2000) Microsoft Windows 95, Windows 98, Windows Millennium Edition
(Windows Me), Windows NT 4, or Windows NT 3.51. You can also
use it to log on to systems running Windows 2000, Windows XP, or
Windows Server 2003. This field is required and must be unique within
the domain.
After you have entered the values on the first page of the New Object–User dialog box,
click Next. The second page of the dialog box, shown in Figure 3-2, allows you to
enter the user password and to set account flags.
f03nw02
Figure 3-2 Second page of the New Object–User dialog box
Security Alert The default account policies in a Windows Server 2003 domain, set in the
Default Domain Policy GPO, require complex passwords that have a minimum of seven charac-
ters. That means a password must contain three of four character types: uppercase, lower-
case, numeric, and nonalphanumeric.
When you use Windows Server 2003 in a test or lab environment, you should implement the
same best practices that are required in a production network. Therefore, in this book, you
are encouraged to use complex passwords for the user accounts you create; it will be left to
you to remember those passwords during exercises that require logging on as those users.
The properties available on the second page of the New Object–User dialog box are
summarized in Table 3-2.
3-6 Chapter 3 User Accounts
Table 3-2 User Properties on the Second Page of the New Object–User Dialog Box
Property Description
Password The password that is used to authenticate the user. For security reasons, you
should always assign a password. The password is masked as you type it.
Confirm Password Confirm the password by typing it a second time to make sure you typed it
correctly.
User Must Change Select this check box if you want the user to change the password you have
Password At Next entered the first time he or she logs on. You cannot select this option if you
Logon have selected Password Never Expires. Selecting this option will automati-
cally clear the mutually exclusive option User Cannot Change Password.
User Cannot Select this check box if you have more than one person using the same
Change Password domain user account (such as Guest) or to maintain control over user
account passwords. This option is commonly used to manage service
account passwords. You cannot select this option if you have selected User
Must Change Password At Next Logon.
Password Never Select this check box if you never want the password to expire. This option
Expires will automatically clear the User Must Change Password At Next Logon set-
ting because they are mutually exclusive. This option is commonly used to
manage service account passwords.
Account Is Select this check box to disable the user account, for example, when creat-
Disabled ing an object for a newly hired employee who does not yet need access to
the network.
Off the Record When creating objects for new users, choose a unique, complex password
for each user that does not follow a predictable pattern. Select the option to enforce that the
user must change password at next logon. If the user is not likely to log on to the network for
a period, disable the account. When the user requires access to the network for the first
time, ensure that the user’s account is enabled. The user will be prompted to create a new,
unique password that only the user knows.
Some of the account options listed in Table 3-2 have the potential to contradict policies
set in the domain policies. For example, the default domain policy implements a best
practice of disabling the storing of passwords using reversible encryption. However, in
the rare circumstances that require reversible encryption, the user account property,
Store Password Using Reversible Encryption, will take precedence for that specific user
object. Similarly, the domain policy may specify a maximum password age. If a user
object is configured as Password Never Expires, that configuration will override the
domain’s policies.
Lesson 1 Creating and Managing User Objects 3-7
Managing User Objects with Active Directory Users And Computers
When creating a user, you are prompted to configure the most common user proper-
ties, including logon names and password. However, user objects support numerous
additional properties that you can configure at any time using Active Directory Users
And Computers. These properties facilitate the administration of, and the searching for,
an object.
To configure the properties of a user object, select the object, click the Action menu,
and then choose Properties. The user’s Properties dialog box appears, as shown in
Figure 3-3. An alternative way to view an object’s properties would be to right-click
the object and select Properties from the shortcut menu.
f03nw03
Figure 3-3 The user’s Properties dialog box
The property pages in the Properties dialog box expose properties that fall into several
broad categories:
■ Account properties: the Account tab These properties include those that are
configured when you create a user object, including logon names, password, and
account flags.
■ Personal information: the General, Address, Telephones, and Organization
tabs The General tab exposes the name properties that are configured when you
create a user object.
■ User configuration management: the Profile tab Here you can configure the
user’s profile path, logon script, and home folder locations.
3-8 Chapter 3 User Accounts
■ Group membership: the Member Of tab You can add and remove user
groups and set the user’s primary group.
■ Terminal services: the Terminal Services Profile, Environment, Remote
Control, and Sessions tabs These four tabs allow you to configure and man-
age the users’ experience when they are connected to a Terminal Services session.
■ Remote access: the Dial-in tab Allows you to enable and configure remote
access permission for a user.
■ Applications: the COM+ tab Assigns Active Directory COM+ partition sets to
the user. This feature, new to Windows Server 2003, facilitates the management of
distributed applications.
Account Properties
Of particular note are the user’s account properties in the Account tab of the user’s
Properties dialog box. An example appears in Figure 3-4.
f03nw04
Figure 3-4 The user Account tab
Several of these properties were discussed in Table 3-2. Those properties were con-
figured when creating the user object and can be modified, as can a larger set of
account properties, using the Account tab. Several properties are not necessarily self-
explanatory, and deserve definition in Table 3-3.
Lesson 1 Creating and Managing User Objects 3-9
Table 3-3 User Account Properties
Property Description
Logon Hours Click Logon Hours to configure the hours during which a user is
allowed to log on to the network.
Log On To Click Log On To if you want to limit the workstations to which the
user can log on. This is called Computer Restrictions in other parts of
the user interface. You must have NetBIOS over TCP/IP enabled for
this feature to restrict users because it uses the computer name, rather
than the Media Access Control (MAC) address of its network card, to
restrict logon.
Store Password Using This option, which stores the password in Active Directory without
Reversible Encryption using Active Directory’s powerful, nonreversible encryption hashing
algorithm, exists to support applications that require knowledge of the
user password. If it is not absolutely required, do not enable this option
because it weakens password security significantly. Passwords stored
using reversible encryption are similar to those stored as plaintext.
Macintosh clients using the AppleTalk protocol require knowledge of
the user password. If a user logs on using a Macintosh client, you will
need to select the option to Store password using reversible encryption.
Smart Card Is Required Smart cards are portable, tamper-resistant hardware devices that store
For Interactive Logon unique identification information for a user. They are attached to, or
inserted into, a system and provide an additional, physical identifica-
tion component to the authentication process.
Account Is Trusted For This option enables a service account to impersonate a user to access
Delegation network resources on behalf of a user. This option is not typically
selected, certainly not for a user object representing a human being. It
is used more often for service accounts in three-tier (or multi-tier)
application infrastructures.
Account Expires Use the Account Expires controls to specify when an account expires.
Tip When configuring domain accounts for services, it is common to specify that the
account password never expires. In such situations be sure you use a long, complex pass-
word. If the service account is used by services on a limited number of systems, you can
increase the security of the account by configuring the Log On To property with the list of sys-
tems using the service account.
Managing Properties on Multiple Accounts Simultaneously
Windows Server 2003 allows you to modify the properties of multiple user accounts
simultaneously. You simply select several user objects by holding the CTRL key as you
click each user, or by using any other multiselection techniques. Be certain that you
3-10 Chapter 3 User Accounts
select only objects of one class, such as users. After you have multiselected, click the
Action menu, and then choose Properties.
When you have multiselected user objects, a subset of properties is available for
modification.
■ General tab Description, Office, Telephone Number, Fax, Web Page, E-mail
■ Account tab UPN Suffix, Logon Hours, Computer Restrictions (logon worksta-
tions), all Account Options, Account Expires
■ Address Street, PO Box, City, State/Province, ZIP/Postal Code, Country/Region
■ Profile Profile Path, Logon Script, and Home Folder
■ Organization Title, Department, Company, Manager
Tip Be sure to know which properties can be modified for multiple users simultaneously.
Exam scenarios and simulations that suggest a need to change many user objects’ properties
as quickly as possible are often testing your understanding of multiselect.
There are still many properties that must be set on a user-by-user basis. Also, certain admin-
istrative tasks, including the resetting of passwords and the renaming of accounts, can be
performed on only one user object at a time.
Saved Queries
The Active Directory Users And Computers MMC console and snap-in contains a new
node labeled Saved Queries. This node allows you to create views of Active Directory
objects that display the current results of a query you define. Some administrators refer
to these as “virtual folders” or “virtual OUs.”
The Windows Help And Support Center provides details about how to create saved
queries (search for “Saved Queries”), and learning how to create saved queries is a
valuable skill, both for the certification exam and for the real world. Examples of useful
saved queries that you might choose to create include:
■ All users, groups, or computers in the domain or in an OU and its child OUs
■ Disabled user or computer accounts
■ Locked out accounts
■ Users with a particular job title or Company property
■ Users who have not changed their passwords or logged on for a particular period
of time
■ User accounts with the Password Never Expires flag set
Lesson 1 Creating and Managing User Objects 3-11
Within the result set displayed by a saved query, you can perform the same adminis-
trative tasks that you would perform on objects in an OU. For example, you might use
a saved query to identify all users in the domain who have not changed their password
in 90 days and disable their accounts. Or you might use a saved query that displays dis-
abled accounts to identify those accounts that should be deleted. By using saved que-
ries and by changing multiple user accounts at once, you can administer your domain
users, groups, and computers with minimal administrative effort.
Moving a User
If a user is transferred within an organization, it is possible that you might need to
move his or her user object to reflect a change in the administration or configuration of
the object. To move an object in Active Directory Users And Computers, select the
object and, from the Action menu, choose Move. Alternatively, you can right-click the
object and select Move from the shortcut menu.
Tip A new feature of Windows Server 2003 is that drag-and-drop operations are supported
in several MMC snap-ins, including Active Directory Users And Computers. You can move
objects between OUs by dragging and dropping them.
Practice: Creating and Managing User Objects
In this practice, you will create three user objects. You will then modify properties of
those objects.
Exercise 1: Create User Objects
1. Log on to Server01 as an administrator.
2. Open Active Directory Users And Computers.
3. Create an OU called “Employees” and then select the Employees OU.
4. Create a user account with the following information, ensuring that you use a
strong password:
Text Box Name Type
First Name Dan
Last Name Holme
User Logon Name dan.holme
User Logon Name (Pre-Windows 2000) dholme
3-12 Chapter 3 User Accounts
5. Create a second user object with the following properties:
Property Type
First Name Hank
Last Name Carbeck
User Logon Name hank.carbeck
User Logon Name (Pre-Windows 2000) hcarbeck
6. Create a user object for yourself, following the same conventions for user logon
names as you did for the first two objects.
Exercise 2: Modify User Object Properties
1. Open the Properties dialog box for your user object.
2. Configure the appropriate properties for your user object on the General, Address,
Profile, Telephones, and Organization tabs.
3. Examine the many properties associated with your user object, but do not change
any other properties yet.
4. Click OK when finished.
Exercise 3: Modify Multiple User Objects’ Properties
1. Open Active Directory Users And Computers and navigate to the Contoso.com
Employees OU. Select the Employees OU in the tree pane, which will list the user
objects you created in Exercise 1 in the details pane.
2. Select Dan Holme’s user object.
3. Hold the CTRL key and select Hank Carbeck’s user object.
4. Click the Action menu, and then click Properties.
5. Notice the difference between the Properties dialog box here, and the more
extensive properties dialog box you explored in Exercise 2. Examine the prop-
erties that are available when multiple objects are selected, but do not modify
any properties yet.
6. Configure the following properties for the two user objects:
Property Page Property Type
General Description Taught me everything I needed to know
about Windows Server 2003
General Telephone Number (425) 555-0175
General Web Page http://www.microsoft.com/learning
/books/
Lesson 1 Creating and Managing User Objects 3-13
Property Page Property Type
Address Street One Microsoft Way
Address City Redmond
Address State/Province Washington
Address ZIP/Postal Code 98052
Organization Title Author
Organization Company Microsoft Press
7. Click OK when you finish configuring the properties.
8. Open the properties of the object Dan Holme.
9. Confirm that the properties you configured in step 6 did, in fact, apply to the
object. Click OK when you are finished.
10. Select Dan Holme’s user object.
11. Hold the CTRL key and select Hank Carbeck’s user object. Click the Action menu.
12. Notice that the Reset Password command is not available when you have selected
more than one user object. What other commands are not available when multi-
selecting? Experiment by selecting one user, opening the Action menu, then
selecting two users and opening the Action menu.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. You are using Active Directory Users And Computers to configure user objects in
your domain, and you are able to change the address and telephone number
properties of the user object representing yourself. However, the New User com-
mand is unavailable to you. What is the most likely explanation?
2. You are creating a number of user objects for a team of your organization’s tem-
porary workers. They will work daily from 9:00 A.M. to 5:00 P.M. on a contract that
is scheduled to begin in one month and end two months later. They will not work
outside of that schedule. Which of the following properties should you configure
initially to ensure maximum security for the objects? (Choose all that apply.)
a. Password
b. Logon Hours
c. Account expires
3-14 Chapter 3 User Accounts
d. Store password using reversible encryption
e. Account is trusted for delegation
f. User must change password at next logon
g. Account is disabled
h. Password never expires
3. Which of the following properties and administrative tasks can be configured or
performed simultaneously on more than one user object? (Choose all that apply.)
a. Last Name
b. User Logon Name
c. Disable Account
d. Enable Account
e. Reset Password
f. Password Never Expires
g. User Must Change Password At Next Logon
h. Logon Hours
i. Computer Restrictions (Logon Workstations)
j. Title
k. Direct Reports
Lesson Summary
■ You must be a member of the Enterprise Admins, Domain Admins, or Account
Operators groups, or you must have been delegated administrative permissions to
create user objects.
■ User objects include the properties typically associated with a user “identity” or
“account,” including logon names and password, and the unique SID for the user.
■ User objects also include properties related to the individuals they represent,
including personal information, group membership, and administrative settings.
Windows Server 2003 allows you to change some of these properties for multiple
users simultaneously.
Lesson 2 Creating Multiple User Objects 3-15
Lesson 2: Creating Multiple User Objects
Occasionally, situations emerge that require you to create multiple user objects quickly,
such as a new class of incoming students at a school or a group of new hires at an
organization. In these situations, you must know how to facilitate or automate user
object creation effectively so that you do not approach the task on an account-by-
account basis. In Lesson 1, you learned how to create and manage user objects with
Active Directory Users and Computers. This lesson will extend those concepts, skills,
and tools to include user object creation through template objects, imported objects,
and command-line scripting of objects.
After this lesson, you will be able to
■ Create and utilize user object templates
■ Import user objects from comma-delimited files
■ Leverage new command-line tools to create and manage user objects
Estimated lesson time: 15 minutes
Creating and Utilizing User Object Templates
It is common for objects to share similar properties. For example, all sales representa-
tives may belong to the same security groups, are allowed to log on to the network
during the same hours, and have home folders and roaming profiles on the same
server. In such cases, it is helpful when creating a user object for that object to be pre-
populated with common properties. This can be accomplished by creating a generic
user object—often called a template—and then copying that object to create new users.
To generate a user template, create a user object and populate its properties. Put the
user into appropriate groups.
Security Alert Be certain to disable the user object, because it is just a template, to
ensure that the account cannot be used for access to network resources.
To create a user based on the template, select the template and choose Copy from the
Action menu or the shortcut menu. You will be prompted for properties similar to
those when you created a new user: first and last name, initials, logon names, pass-
word, and account options. When the object is created, you will find that properties are
copied from the template based on the following property-page-based description:
■ General No properties are copied.
■ Address All properties except Street address are copied.
3-16 Chapter 3 User Accounts
■ Account All properties are copied except for logon names, which you are
prompted to enter when copying the template.
■ Profile All properties are copied, and the profile and home-folder paths are
modified to reflect the new user’s logon name.
■ Telephones No properties are copied.
■ Organization All properties are copied, except for Title.
■ Member Of All properties are copied.
■ Dial-in, Environment, Sessions, Remote Control, Terminal Services Profile,
COM+ No properties are copied.
Tip A user that has been generated by copying a template has, by default, the same group
membership as the template. Permissions and rights that are assigned to those groups
therefore apply to the new user. However, permissions or rights assigned directly to the tem-
plate user object are not copied or adjusted, so the new user will not have those permissions
or rights.
Importing User Objects Using Csvde
Occasionally, situations arise that require you to create multiple objects quickly, such
as a new class of incoming students at a school or a group of new hires at an organi-
zation. In these situations it can be helpful to import the accounts from existing data
sources so that you do not approach the task on an account-by-account basis.
Csvde is a command-line utility that allows you to import or export objects in Active
Directory from (or to) a comma-delimited text file (also known as a comma-separated
value or CSV file), which is, of course, a common format easily read and saved using
Notepad and Microsoft Office Excel.
The Csvde command is a powerful way to generate objects quickly. The command’s
basic syntax is
csvde [-i] [-f FileName] [-k]
-i : Specifies import mode. If not specified, the default mode is export.
-f FileName : Identifies the import file name.
-k : Ignores errors including “object already exists,” “constraint violation,” and “attribute
or value already exists” during the import operation and continues processing.
The import file itself is a comma-delimited text file (*.csv or *.txt), in which the first line
is a list of Lightweight Directory Access Protocol (LDAP) attribute names for the
Lesson 2 Creating Multiple User Objects 3-17
attributes imported, followed by one line (ending with a carriage return) for each
object. Each object must contain exactly the attributes listed on the first line in the same
order specified by the first line. If an attribute includes spaces or commas, it must be
surrounded by quotation marks. A sample file follows:
DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName
"CN=Scott Bishop,OU=Employees, DC=contoso,DC=com",
user,sbishop,Bishop,Scott,scott.bishop@contoso.com
This file, when imported, would create a user object in the Employees OU called Scott
Bishop. The logon, first, and last names are configured by the file. The object will be
disabled initially. After you have reset the password, you can enable the object.
! Exam Tip Csvde does not support importing or exporting user passwords.
If mandatory attributes are missing, the object will fail to be created. For example, a
user account cannot be created without the DN and object class. It is a best practice
when creating a user account to include the Pre-Windows 2000 Logon Name in the
user interface (sAMAccountName), the first name (givenName), last name (sn), display
name (displayName), and user principal name (userPrincipalName).
Notice that the attribute objectClass is supported in the file. That means you can use
Csvde to create other types of objects. For example, the objectClass “group” would cre-
ate a group.
See Also Chapter 4, “Group Accounts,” includes an example of Csvde used to import
groups. For more information about the powerful Csvde command, including details regarding
its parameters and its usage to export directory objects, open the Windows Server 2003 Help
and Support Center. The Ldifde command, introduced in Chapter 4, Lesson 3, is also covered
in detail by the Help and Support Center, and it allows you to import and export accounts
using LDAP formats. This command and its file structure is nowhere near as intuitive for
administrators as the comma-delimited file supported by Csvde; however, Ldifde does sup-
port importing and modifying, but not exporting, user passwords.
Utilizing Active Directory Command-Line Tools
Windows Server 2003 supports a number of powerful command-line tools to facilitate
the management of Active Directory. They are often referred to as the DS commands
because they affect the directory service and because each command begins with “ds.”
3-18 Chapter 3 User Accounts
See Also This lesson will highlight the most commonly used directory service commands
and parameters and the use of these commands for user objects. The commands will be
revisited in Chapter 4 in relation to group objects. For more information on these utilities,
including the full list of parameters they accept, open the Windows Help And Support Center
and search for the phrase, “directory service command-line tools”—be sure to surround the
phrase in quotation marks. After clicking Search, you will see the Directory Service Command-
Line Tools: Command-Line Reference on the list of Help Topics, under Search Results.
The following is a list, and brief description, of each tool:
■ Dsadd Adds objects to the directory.
■ Dsget Displays (“gets”) properties of objects in the directory.
■ Dsmod Modifies select attributes of an existing object in the directory.
■ Dsmove Moves an object from its current container to a new location. Can also
be used to rename an object without moving it.
■ Dsrm Removes an object, the complete subtree under an object, or both.
■ Dsquery Queries Active Directory for objects that match a specified search cri-
terion. This command is often used to create a list of objects, which are then piped
to the other command-line tools for management or modification.
These six tools are described in some detail in later subsections. Each tool uses one or
more command-line options or switches. Before you examine each tool, option, and
switch, look at the following command:
dsquery user “OU=Employees,DC=Contoso,DC=Com” -stalepwd 60
This command queries the Employees OU and returns a list of user objects with pass-
words that have not been changed (stalepwd stands for “stale password”) for 60 days.
You can imagine that this would be useful as a way to audit compliance with corporate
password guidelines. The command illustrates important concepts that will resurface as
you explore each directory service command:
■ DS commands specify the class, or target object type, of an object that is being cre-
ated or managed. The example above creates an object with the target object type
of user. The target object type can be one of a predefined set of values that corre-
late with an object class in Active Directory. Common examples are: computer,
user, OU, group, and server (meaning domain controller).
■ The Distinguished Name (DN) of the object against which the command is running
is called the target object identity. The DN of an object is an attribute of each object
that represents the object’s name and location within an Active Directory forest. For
example, in Lesson 1, Exercise 1, you created a user object with the distinguished
Lesson 2 Creating Multiple User Objects 3-19
name: CN=Dan Holme, OU=Employees, DC=Contoso, DC=com. The example above
queries the OU with the distinguished name: OU=Employees,DC=Contoso,DC=com.
Note When using DNs in a command parameter, enclose the name in quotation marks
when it includes spaces. If a subcomponent of the distinguished name includes a backslash
or comma, see the online help topic listed earlier.
■ The stalepwd switch in the example is prefixed by a dash (“-”). Switches and
parameters are case-insensitive, meaning that capitalization does not matter and
you can prefix them with either a dash (“-”) or a slash (“/”).
■ The parameters and switches that you use in the command will vary depending on
the type of object you are working with. For example, a user object has a stalepwd
property. A group object has a members property.
By default, the DS commands connect to a domain controller that covers the Active
Directory site of your computer and run under the credentials of the account with
which you are logged on. Each DS command accepts parameters to modify these
default behaviors. These parameters are listed below in the tables that describe each
command.
Dsquery
The Dsquery command queries Active Directory for objects that match a specific crite-
ria set. The command’s basic syntax is:
dsquery object_type [{StartNode | forestroot | domainroot}] [-o {dn | rdn | samid}]
[-scope {subtree | onelevel | base}] [-name Name] [-desc Description] [-upn UPN]
[-samid SAMName] [-inactive NumberOfWeeks] [-stalepwd NumberOfDays] [-disabled]
[{-s Server | -d Domain}] [-u UserName] [-p {Password | *}]
As you can see, there are numerous parameters and options for each parameter. In fact,
there are even more than the common items listed here. Do not let the list overwhelm
you. First, many of the switches are shared with other directory service commands—so
as you learn about a switch in any one command, you will be able to apply that knowl-
edge to other commands. Second, you will not need to know the switches in detail to
pass the 70-290 certification exam, and you can always use a reference when applying
the commands to real-world tasks.
! Exam Tip To meet the objectives of the 70-290 certification exam, you must understand
the role and use of each command and how the commands interrelate, and you must be able
to achieve specific tasks with the DS commands: pay careful attention to the examples pro-
vided in this lesson.
3-20 Chapter 3 User Accounts
The basic parameters of Dsquery are summarized in Table 3-4.
Table 3-4 Parameters for the Dsquery Command
Parameter Description
Query scope
object_type Required. The object type represents the object class(es) that will
be searched. The object type can include computer, subnet, con-
tact, group, OU, site, server, user, or the wildcard “*” to represent
any object class. This lesson will focus on the command’s use in
querying for the user object type.
{StartNode | forestroot | Optional. Specifies the node from which the search begins. You
domainroot} can specify the forest root (forestroot), domain root (domain-
root), or a node’s DN (StartNode). If forestroot is specified, the
search is performed using the global catalog. The default value is
domainroot.
-scope {subtree | onelevel Optional. Specifies the scope of the search. A value of subtree indi-
| base} cates that the scope is a subtree rooted at StartNode. A value of
onelevel indicates the immediate children of StartNode only. A
value of base indicates the single object represented by StartNode.
If forestroot is specified as StartNode, subtree is the only valid
scope. By default, the subtree search scope is used.
How to display the result set
-o {dn | rdn | samid} Specifies the format in which the list of entries found by the search
will be outputted or displayed. A dn value displays the distin-
guished name of each entry. An rdn value displays the relative dis-
tinguished name of each entry. A samid value displays the Security
Accounts Manager (SAM) account name of each entry. By default,
the dn format is used.
Query criteria
-name Name Searches for users whose name attributes (value of CN attribute)
matches Name. You can use wildcards. For example, “jon*” or
“*ath” or “j*th” would each produce a result set that includes users
named Jonathan.
-desc Description Searches for users whose description attribute matches Description.
You can use wildcards.
-upn UPN Searches for users whose UPN attribute matches UPN.
-samid SAMName Searches for users whose SAM account name matches SAMName.
You can use wildcards.
-inactive NumberOfWeeks Searches for all users that have been inactive (stale) for the speci-
fied number of weeks.
-stalepwd NumberOfDays Searches for all users who have not changed their passwords for
the specified number of days.
Lesson 2 Creating Multiple User Objects 3-21
Table 3-4 Parameters for the Dsquery Command
Parameter Description
-disabled Searches for all users whose accounts are disabled.
Domain controller and credentials used for the command
{-s Server | -d Domain} Connects to a specified remote server or domain.
-u UserName Specifies the user name with which the user logs on to a remote
server. By default, -u uses the user name with which the user
logged on. You can use any of the following formats to specify a
user name:
■ user name (for example, Linda)
■ domainuser name (for example, widgetsLinda)
■ UPN (for example, Linda@widgets.microsoft.com)
-p {Password | *} Specifies to use either a password or a * to log on to a remote
server. If you type *, you are prompted for a password.
! Exam Tip Inactivity is specified in weeks, but password changes are specified in days.
Examine the command used as an example at the beginning of the chapter:
dsquery user “OU=Employees,DC=Contoso,DC=Com” -stalepwd 60
You can now identify the following components of the command:
■ Query Scope The query scope is made up of two components. The first is the
target object type, user. The second is the target object identity, StartNode, which
is the DN of the Employees OU.
■ Query Criteria Password has been inactive for 60 days or more: -stalepwd 60.
■ How To Display The Result Set DNs. Because no -o switch was used, the com-
mand will output using the default format: a list of DNs of objects meeting the cri-
teria within the scope.
Piping Dsquery Results To Other Directory Service Commands Dsquery is often used
to generate a list of objects against which other DS commands will operate. This is
accomplished by piping the output of Dsquery to a second command. For example:
dsquery user “OU=Employees,DC=Contoso,DC=Com” -stalepwd 60| dsmod user -mustchpwd yes
This command line queries the Employees OU for users who have not changed their
password for 60 days and pipes the resulting list of objects to Dsmod, which configures
each object with the property “User Must Change Password At Next Logon.” The other
DS commands accept DNs as their input.
3-22 Chapter 3 User Accounts
To understand how the command line works, let’s begin by looking at an example of
Dsmod (which we will discuss in more detail later in the chapter):
dsmod user “CN=Dan Holme,OU=Employees,DC=Contoso,DC=Com” -mustchpwd yes
This command modifies the account of the user Dan Holme and sets the flag requiring
the user to change passwords at the next logon. Again you can see common elements:
■ The target object type: user
■ The target object identity: Dan Holme. The DN of objects including users, groups,
and computers begins with the common name (CN) of the object followed by its
parent OUs and domain.
■ The switch –mustchpwd, which indicates the “Must Change Password” property,
and the value yes, which sets the flag.
You can imagine it would get tiring to enter this command multiple times for each user
who should be required to change passwords. Luckily, you can enter the target object
parameter not only as a DN but by piping a list of objects to the command. Piping
refers to a process through which the output of one command is directed to another
command rather than to the command console. It is called “piping” because you use
the pipe symbol (“|”) to redirect a command’s output.
Look at the following command:
dsquery user “OU=Employees, DC=Contoso,DC=Com”
-stalepwd 60 | dsmod user -mustchpwd yes
Notice the familiar Dsquery command that produces a list of users who have not
changed passwords for 60 days or more. It is followed by the pipe symbol, indicating
that its output (by default, a list of DNs) is redirected. Following the pipe is the Dsmod
command without a target object specified. That syntax tells the Dsmod command to
receive the input from the Dsquery command. It is no coincidence that the target
object identity parameter of a directory service command takes the DN of an object
and that the Dsquery command produces, by default, a list of DNs. The Dsmod com-
mand will be repeated for each item in the list produced by Dsquery, so together
these two commands—Dsquery piped into Dsmod—will set the change password
flag for each user account in the Employees OU that has not changed passwords for
the last 60 days or more.
We will return to examine Dsmod in more detail. But to wrap up our discussion of
Dsquery and piping its results to other commands, let’s reiterate that the Dsquery
command is often used to produce a list of objects meeting a set of criteria and to
pipe that list of objects into one of the other directory service commands.
Lesson 2 Creating Multiple User Objects 3-23
Dsadd
The Dsadd command enables you to create objects in Active Directory. When creat-
ing a user, use the Dsadd User command. Dsadd parameters allow you to configure
specific properties of an object. The parameters are self-explanatory; however the
Windows Server 2003 Help And Support Center provides thorough descriptions of
the Dsadd command’s parameters if you desire more explanation.
dsadd user UserDN…
The UserDN… parameter is one or more distinguished names for the new user
object(s). If a DN includes a space, surround the entire DN with quotation marks. You
can enter the UserDN… parameter using one of the following ways:
■ By piping a list of DNs from another command, such as Dsquery.
■ By typing each DN on the command line, separated by spaces.
■ By leaving the DN parameter empty, at which point you can type the DNs, one at
a time, at the keyboard console of the command prompt. Press ENTER after each
DN. Press CTLS+Z and ENTER after the last DN.
The common parameters for the Dsadd User command, shown below, are self-explan-
atory. However, the Windows Help And Support Center provides thorough descrip-
tions of these and additional Dsadd parameters if you desire further explanation.
Simply search using the name of the command, Dsadd, as your search query.
■ -samid SAMName
■ -upn UPN
■ -fn FirstName
■ -mi Initial
■ -ln LastName
■ -display DisplayName
■ -empid EmployeeID
■ -pwd {Password | *} where * will prompt you for a password
■ -desc Description
■ -memberof GroupDN;...
■ -office Office
■ -tel PhoneNumber
■ -email Email
■ -hometel HomePhoneNumber
3-24 Chapter 3 User Accounts
■ -pager PagerNumber
■ -mobile CellPhoneNumber
■ -fax FaxNumber
■ -iptel IPPhoneNumber
■ -webpg WebPage
■ -title Title
■ -dept Department
■ -company Company
■ -mgr ManagerDN
■ -hmdir HomeDirectory
■ -hmdrv DriveLetter:
■ -profile ProfilePath
■ -loscr ScriptPath
■ -mustchpwd {yes | no}
■ -canchpwd {yes | no}
■ -reversiblepwd {yes | no}
■ -pwdneverexpires {yes | no}
■ -acctexpires NumberOfDays
■ -disabled {yes | no}
As with Dsquery, you can add -s, -u, and -p parameters to specify the domain control-
ler against which Dsadd will run, and the user name and password—the credentials—
that Dsadd will use to execute the command.
■ {-s Server | -d Domain}
■ -u UserName
■ -p {Password | *}
You can use the special token $username$ (case-insensitive) to replace the SAM
account name in the value of the -email, -hmdir, -profile, and -webpg parameters. For
example, if a SAM account name is “Denise,” you can write the -hmdir parameter in
either of the following formats:
■ -hmdir server05usersDenise
■ -hmdir server05users$username$
Lesson 2 Creating Multiple User Objects 3-25
Dsmod
The Dsmod command modifies the properties of one or more existing objects.
dsmod user UserDN ... parameters
The command handles the UserDN… parameter exactly as the Dsadd command and
takes the same parameters. Of course now, instead of adding an object with properties,
you are modifying an existing object. Note that the exceptions are that you cannot
modify the SAMName (-samid parameter) or group membership (-memberof parame-
ter) of a user object using the Dsmod User command.
! Exam Tip You can use the Dsmod Group command, discussed in Chapter 4, “Group
Accounts,” to change group membership from a command-line utility.
The Dsmod command also takes the -c parameter. This parameter puts Dsmod into
continuous operation mode, in which it reports errors but continues to modify the
objects. Without the -c parameter, Dsmod will stop operation at the first error.
Using Dsquery to pipe objects to Dsmod, you can easily modify selected properties of
many user objects with a single command line. For example:
dsquery user "OU=Employees,DC=Contoso,DC=Com" | dsmod user -PROFILE
"Server04Profiles$username$”
This command modifies all user accounts in the Employees OU to include a user pro-
file attribute pointing to an individual user profile in the Profiles share of Server04.
Note the use of the $username$ token, discussed above in the section related to
Dsadd: DS commands use $username$, not the %username% token that you would
use in the graphical user interface (GUI) administration tools. The following example
maps the employees’ U drives to their home folder on Server05:
dsquery user “OU=Employees,DC=Contoso,DC=Com” | dsmod user –HMDIR
“Server04Profiles$username$” –HMDRV U:
Dsget
The Dsget command gets, and outputs, selected properties of one or more existing
objects.
dsget user UserDN ... parameters
The command handles the UserDN… parameter exactly as the Dsadd command does,
and takes the same parameters except that Dsget takes only the parameter and not an
associated value. For example, Dsget takes the -samid parameter, not the -samid
SAMName parameter and value. The reason for this is clear: You are displaying, not
3-26 Chapter 3 User Accounts
adding or modifying, a property. In addition, Dsget does not support the -password
parameter because it cannot display passwords. Dsget adds the -dn and -sid param-
eters, which display the user object’s distinguished name and SID, respectively.
Like Dsquery, Dsget with the -dn switch returns DNs. Therefore, it is also used regu-
larly to pipe DNs to other directory service commands.
! Exam Tip Keep track of the difference between Dsquery and Dsget. Dsquery finds and
returns a result set of objects based on property-based search criteria. Dsget returns proper-
ties for one or more specified objects.
Dsmove
The Dsmove command allows you to move or rename an object within a domain. You
cannot use it to move objects between domains. Its basic syntax is:
dsmove ObjectDN [-newname NewName] [-newparent ParentDN]
Dsmove also supports the -s, -u, and -p parameters described in the section regarding
Dsquery.
You specify the object that you want to move by using its DN in the parameter
ObjectDN. To rename the object, specify its new common name in the NewName
parameter. To move an object to a new location, specify the distinguished name of a
container by means of the ParentDN parameter.
Dsrm
You use Dsrm to remove an object, its subtree, or both. The basic syntax is:
dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt] [-c]
It supports the -s, -u, and -p parameters described in the section about Dsquery.
You specify the object by using its distinguished name in the ObjectDN parameter. The
-subtree switch directs Dsrm to remove the objects contents if the object is a container
object. The -exclude switch excludes the object itself, and you can use it only in con-
junction with -subtree. Specifying -subtree and -exclude would, for example, delete an
OU’s contents and its subtree, but leave the specified OU intact. By default, without the
-subtree or -exclude switches, only the specified object is deleted.
You will be prompted to confirm the deletion of each object unless you specify the
-noprompt parameter. The -c switch puts Dsrm into continuous operation mode, in
which errors are reported but the command keeps processing additional objects.
Without the -c switch, processing halts on the first error.
Lesson 2 Creating Multiple User Objects 3-27
Utilizing VBScript to Automate User Administration
The 70-290 certification examination objectives expect you to have a rudimentary
understanding of using scripts written in the VBScript scripting language. You will
need to be able to recognize, but not necessarily create, simple VBScript operations.
However, a more detailed understanding of VBScript is a very useful competency for
real-world administration of Active Directory. Because the use of VBScript cuts across
multiple topics, including the administration of both users and groups, we have
included a supplement entitled “Using VBScript to Automate User and Group Admin-
istration” on the CD-ROM accompanying this book.
On the CD Be sure to read the supplement “Using VBScript to Automate User and Group
Administration” on the CD-ROM accompanying this book.
Practice: Creating Multiple User Objects
In this practice, you will create and manage user objects utilizing templates and com-
mand-line tools.
Exercise 1: Create a User Template
1. Log on to Server01 as an administrator.
2. Open Active Directory Users And Computers.
3. Select the Employees OU in the tree pane.
4. Create a user account with the following information:
Text Box Name Type
First Name Template
Last Name Sales Representative
User Logon Name: Template.sales.rep
User Logon Name (Pre–Windows 2000): Templatesalesrep
5. Click Next.
6. Select Account Is Disabled. Click Next.
7. The summary page appears. Click Finish.
3-28 Chapter 3 User Accounts
Note As mentioned in the chapter’s “Before You Begin” section, you should create a group
in the Security Groups OU called Sales Representatives. If you have not created such a group,
do so now.
8. Open the properties of the Template Sales Representative object.
9. Configure the following properties for the template account:
Tab Property Value
Member Of Member Of Sales Representatives
Account Logon Hours Monday–Friday, 9:00 A.M.–5:00 P.M.
Account Expires Three months from the current date
Organization Company Contoso
Profile Profile path Server01Profiles%Username%
10. Click OK when you have finished configuring account properties.
Exercise 2: Create Users by Copying a User Template
1. Select the Employees OU in the tree pane.
2. Select the Template Sales Representative object.
3. Click the Action menu, and then click Copy.
4. Create a new user account with the following information:
Text Box Name Type
First Name Scott
Last Name Bishop
User Logon Name: Scott.Bishop
User Logon Name (Pre-Windows 2000): Sbishop
Account Is Disabled Clear the check box
Password/Confirm Password Enter and confirm a complex password as
described earlier in this chapter.
5. Click Next, and then click Finish.
6. Open the properties of the object Scott Bishop.
7. Confirm that the information configured for the template on the Member Of,
Account, and Organization Property pages were applied to the new object.
Lesson 2 Creating Multiple User Objects 3-29
8. Because you will use this account for other exercises in the chapter, reset two
properties. In the Account tab, set the Account Expires option to Never, and set
the Logon Hours so that logon is permitted at any time.
Exercise 3: Import User Objects Using CSVDE
1. Open Notepad.
2. Type the following information carefully, creating 3 lines of text:
DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName
"CN=Danielle Tiedt,OU=Employees,
DC=contoso,DC=com",user,dtiedt,Tiedt, Danielle,danielle.tiedt@contoso.com
"CN=Lorrin Smith-Bates,OU=Employees, DC=contoso,DC=com",user,lsmithbates,
Smith-Bates,Lorrin,lorrin.smithbates@contoso.com
3. Save the file as “C:USERS.CSV” being certain to surround the filename with quo-
tation marks. Without quotation marks, the file will be saved as
C:USERS.CSV.TXT.
4. Open the command prompt and type the following command:
csvde –i -f c:users.csv
5. If the command output confirms that the command completed successfully, open
Active Directory Users And Computers to confirm that the objects were created in
the Employees OU. If the command output suggests that there were errors, open
the USERS.CSV file in Notepad and correct the errors.
6. You will log on as these users later in this chapter. Because the users were
imported without passwords, you must reset their passwords. After you have con-
figured the users’ passwords, enable the accounts. Both the Reset Password and
Enable Account commands can be found on either the Action or Objects shortcut
menu.
7. If you have access to an application that can open comma-delimited text files such
as Microsoft Excel, open C:USERS.CSV. You will be able to interpret its structure
more easily in a columnar display than in Notepad’s one-line, comma-delimited
text file display.
Exercise 4: Use Active Directory Command-Line Tools
1. Open the command prompt and type the following command:
dsquery user “OU=Employees, DC=Contoso,DC=Com” -stalepwd 7
2. The command, which finds user objects that have not changed their password in
seven days, should list, at a minimum, the objects you created in exercises 1 and
2. If not, create one or two new user objects and then perform step 1.
3-30 Chapter 3 User Accounts
3. Type the following command and press ENTER:
dsquery user “OU=Employees, DC=Contoso,DC=Com” -stalepwd 7 | dsmod user -mustchpwd
yes
4. The command used the results of Dsquery as the input for the Dsmod command.
The Dsmod command configured the option “User must change password at next
logon” for each object. Confirm your success by examining the Account tab of the
affected objects.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What option will be most useful to generate 100 new user objects, each of which
has identical profile path, home folder path, Title, Web Page, Company, Depart-
ment, and Manager settings?
2. Which tool will allow you to identify accounts that have not been used for two
months?
a. Dsadd
b. Dsget
c. Dsmod
d. Dsrm
e. Dsquery
3. What variable can be used with the Dsmod and Dsadd commands to create user-
specific home folders and profile folders?
a. %Username%
b. $Username$
c. CN=Username
d. <Username>
Lesson 2 Creating Multiple User Objects 3-31
4. Which tools allow you to output the telephone numbers for all users in an OU?
(Choose all that apply.)
a. Dsadd
b. Dsget
c. Dsmod
d. Dsrm
e. Dsquery
Lesson Summary
■ A user object template is an object that is copied to produce new users. If the tem-
plate is not a “real” user, it should be disabled. Only a subset of user properties are
copied from templates.
■ The Csvde command enables you to import directory objects from a comma-
delimited text file.
■ Windows Server 2003 supports powerful new command-line tools to create, man-
age, and delete directory objects: Dsquery, Dsget, Dsadd, Dsmove, Dsmod, and
Dsrm. Frequently, Dsquery will produce a result set of objects that are piped as
input to other commands.
3-32 Chapter 3 User Accounts
Lesson 3: Managing User Profiles
You probably wouldn’t read this book if you weren’t supporting users, and you know
that there are elements of the user’s system that cause the user pain when they are not
present. For example, if a user logs on and does not have access to his or her Microsoft
Internet Explorer Favorites, or must reconfigure his or her custom dictionary, or does
not see familiar shortcuts or documents on the desktop, the user’s productivity takes an
instant plunge, and the help desk gets a call. Each of these examples relates to com-
ponents of the user profile. Profiles can be configured to enhance their availability,
security, and reliability. In this lesson, you will learn how to manage local, roaming,
group, and mandatory profiles.
■ Understand the application of local and roaming user profiles
■ Configure a roaming user profile
■ Create a preconfigured roaming user or group profile
■ Configure a mandatory profile
User Profiles
A user profile is a collection of folders and data files that contain the elements of your
desktop environment that make it uniquely yours. Settings include:
■ Shortcuts in your Start menu, on your desktop, and in your Quick Launch bar
■ Documents on your desktop and, unless redirection is configured, in your My
Documents folder
Tip The properties of the My Documents folder, and the Folder Redirection policies in Group
Policy, enable you to redirect My Documents so that it targets a network folder. This best prac-
tice allows you to store the contents of users’ My Documents folders on a server, where they
can be backed up, scanned for viruses, and made available to users throughout the organiza-
tion, should they log on to a system other than their normal desktop. You can also make My
Documents available offline, so that users have access to their files even when users are not
connected to the network.
■ Internet Explorer favorites and cookies
■ Certificates (if implemented)
■ Application-specific files such as the Microsoft Office custom user dictionary, user
templates, and autocomplete list
■ My Network Places
■ Desktop display settings such as appearance, wallpaper, and screensaver
Lesson 3 Managing User Profiles 3-33
These important elements are specific to each user. It is desirable that they be consis-
tent between logons, available should the user need to log on to another system, and
resilient in the event that the user’s system fails and must be reinstalled.
Local User Profiles
By default, user profiles are stored locally on the system in the %Systemdrive% Doc-
uments and Settings%Username% folder. They operate in the following manner:
■ When a user logs on to a system for the first time, the system creates a profile for
the user by copying the Default User profile. The new profile folder is named
based on the logon name specified in the user’s initial logon.
■ All changes made to the user’s desktop and software environment are stored in
the local user profile. Each user has his or her individual profiles so settings are
user-specific.
■ The user environment is extended by the All Users profile, which can include
shortcuts in the desktop or start menu, network places, and even application data.
Elements of the All Users profile are combined with the user’s profile to create the
user environment. By default, only members of the Administrators group can
modify the All Users profile.
■ The profile is truly local. If a user logs on to another system, the documents and
settings that are part of their profile do not follow the user. Instead, the new sys-
tem behaves as outlined here, generating a new local profile for the user if it is the
user’s first time logging on to that system.
Roaming User Profiles
If users work at more than one computer, you can configure roaming user profiles
(RUPs) to ensure that their documents and settings are consistent no matter where they
log on. RUPs store the profile on a server, which also means that the profiles can be
backed up, scanned for viruses, and managed centrally. Even in environments where
users do not roam, RUPs provide resiliency for the important information stored in the
profile. If a user’s system fails and must be reinstalled, an RUP will ensure that the
user’s environment is identical on the new system to the one on the previous system.
To configure an RUP, create a shared folder on a server. Ideally, the server should be
a file server that is frequently backed up.
Note Be sure to configure share permissions allowing Everyone Full Control. The Windows
Server 2003 default share permissions allow Read, which is not sufficient for a roaming pro-
file share.
3-34 Chapter 3 User Accounts
In the Profile tab of the user’s Properties dialog box, type the Profile Path in the format:
<server ><share>%Username%. The %Username% variable will automatically
be replaced with the user’s logon name.
It’s that simple. The next time the user logs on, the system will identify the roaming
profile location.
! Exam Tip Roaming user profiles are nothing more than a shared folder and a path to the
user’s profile folder, within that share, entered into the user object’s profile path property.
Roaming profiles are not, in any way, a property of a computer object.
When the user logs off, the system will upload the profile to the profile server. The user
can now log on to that system or any other system in the domain, and the documents
and settings that are part of the RUP will be applied.
Note Windows Server 2003 introduces a new policy: Only Allow Local User Profiles. This
policy, linked to an OU containing computer accounts, will prevent roaming profiles from being
used on those computers. Instead, users will maintain local profiles.
When a user with an RUP logs on to a new system for the first time, the system does
not copy its Default User profile. Instead, it downloads the RUP from the network loca-
tion. When a user logs off, or when a user logs on to a system on which he or she had
worked before, the system copies only files that have changed.
Note To ensure that laptop users obtain their roaming user profiles correctly, be certain
that they log on while connected to the network at least one time, so that the roaming profile
is downloaded, prior to working offline.
Roaming Profile Synchronization
Unlike previous versions of Microsoft Windows, Windows 2000, Windows XP,
and Windows Server 2003 do not upload and download the entire user profile at
logoff and logon. Instead, the user profile is synchronized. Only files that have
changed are transferred between the local system and the network RUP folder.
This means that logon and logoff with RUPs are significantly faster than with ear-
lier Windows versions. Organizations that have not implemented RUPs for fear of
their impact on logon and network traffic should reevaluate their configuration in
this light.
Lesson 3 Managing User Profiles 3-35
Security Alert The locally cached copy of an RUP is permissioned so that only the user
and the computer’s Administrators group have access to the profile. If other users logging on
to the system are members of the Administrators group, you might wish to prevent them from
accessing the locally cached copies of other users’ roaming profiles. To do so, enable the pol-
icy Delete Cached Copies Of Roaming Profiles in the Computer ConfigurationAdministrative
TemplatesSystemUser Profiles node of a Group Policy Object (GPO).
Creating a Preconfigured User Profile
You can create a customized user profile to provide a planned, preconfigured desktop
and software environment. This is helpful to achieve the following:
■ Provide a productive work environment with easy access to needed network
resources and applications
■ Remove access to unnecessary resources and applications
■ Simplify help desk troubleshooting by enforcing a more straightforward and con-
sistent desktop
No special tools are required to create a preconfigured user profile. Simply log on to a
system and modify the desktop and software settings appropriately. It’s a good idea to
do this as an account other than your actual user account so that you don’t modify your
own profile unnecessarily.
After you’ve created the profile, log on to the system with administrative credentials.
Open System from Control Panel, click the Advanced tab, and then click Settings in the
User Profiles frame. Select the profile you created, and then click Copy To. Type the
Universal Naming Convention (UNC) path to the profile in the format: <server>
<share><username>. In the Permitted To Use section, click Change to select the
user for whom you’ve configured the profile. This sets the ACL on the profile folder to
allow access to that user. Figure 3-5 shows an example. Click OK and the profile is
copied to the network location.
Note You must be a member of the Administrators group to copy a profile.
Finally, open the properties of the user object and, in the Profile tab, enter the same
UNC Profile Path field. Voilà! The next time that user logs on to a domain computer,
that profile will be downloaded and will determine his or her user environment.
3-36 Chapter 3 User Accounts
f03nw05
Figure 3-5 Copying a preconfigured user profile to the network
Tip Be careful with preconfigured roaming profiles, or any roaming profiles, to pay attention
to potential issues related to different hardware on systems to which a user logs on. For exam-
ple, if desktop shortcuts are arranged assuming XGA (1024×768) resolution, and the user
logs on to a system with a display adapter capable of only SVGA (800×600) resolution, some
shortcuts might not be visible.
Profiles are also not fully cross-platform. A profile designed for Windows 98 will not func-
tion properly on a Windows Server 2003 system. You will even encounter inconsistencies
when roaming between Windows Server 2003 systems and Windows XP or Windows 2000
Professional.
Creating a Preconfigured Default Profile
In our introduction to user profiles, we indicated that when a user logs on to a system
for the first time, if that user does not have a roaming user profile or if the folder to
which that user’s roaming user profile is configured is empty, the system copies its
Default User profile as the basis for the user’s initial profile. Therefore, if you wish to
customize the initial environment for all users logging on to a system, you must cus-
tomize the Default User profile on that system.
To do so, follow the steps below, which are explained in the previous section, “Creat-
ing a Preconfigured User Profile.”
1. Create a profile (preferably using a temporary user account so as not to modify
your profile).
2. Log on with a different account that belongs to the Administrators group on the
system.
3. Delete the contents of the existing Default User profile, typically at C:Documents
and SettingsDefault User. Note that this is a hidden folder, so you must have the
Show Hidden Files And Folders option selected in Folder Options from Control
Panel.
Lesson 3 Managing User Profiles 3-37
4. Use the System program in Control Panel to copy the user profile to the Default
User profile, as shown in Figure 3-6. Be certain to indicate that the Everyone
group is Permitted To Use the profile.
f03nw06
Figure 3-6 Copying a preconfigured Default User profile
Users who log on to the system for the first time without an existing user profile will
receive a copy of your preconfigured Default User profile.
If you wish to create a preconfigured Default User profile that will apply to all systems
in your domain, follow the same steps, except copy the profile to the NETLOGON
share of a domain controller, into a subfolder called Default User—for example,
servernameNETLOGONDefault User, where servername is the name of a domain
controller. Domain controllers replicate the contents of their NETLOGON share, so the
Default User profile will replicate to all domain controllers. Computers in the domain
will see the new Default User profile in the NETLOGON share and will replace their
local Default User profile. Then each user who logs on for the first time to any system
in the domain and who does not already have a local or roaming profile will receive a
copy of the profile you configured.
! Exam Tip To create a preconfigured default profile for a single system, replace the com-
puter’s Default User profile. To create a preconfigured default profile for the entire domain,
copy the preconfigured profile to the NETLOGON share into a subfolder named Default User.
There are two important considerations to remember when configuring a domain
Default User profile in the “real world:”
■ The Default User profile in the NETLOGON share of domain controllers replaces
the Default User profile on all systems in the domain, including servers and
domain controllers. This behavior might not be acceptable in your environment.
■ The NETLOGON share of domain controllers is configured with a share permission
that allows only read access. Therefore, to copy the preconfigured profile to a
domain controller, you must either alter the share permissions on the NETLOGON
3-38 Chapter 3 User Accounts
share for the period of time during which you are uploading the profile or copy
the profile to the same location using another share. The default location of the
NETLOGON share on a domain controller is C:windowssysvolsysvolcontoso
.comscripts, where contoso.com is your domain’s DNS name. Therefore, you can
copy the profile to servernamec$windowssysvolsysvolcontoso.comscripts,
where servername is the name of a domain controller. The default administrative
drive share, c$, is configured with permissions that allow administrators write access
to the entire volume.
Creating a Preconfigured Group Profile
Roaming profiles enable you to create a standard desktop environment for multiple
users with similar job responsibilities. The process is similar to creating a preconfigured
user profile except that the resulting profile is made available to multiple users.
Create a profile using the steps outlined above. When copying the profile to the server,
use a path such as: <server><share><group profile name>. You must grant access
to all users who will use the profile, so, in the Permitted To Use frame, click Change
and select a group that includes all the users, or the BUILTINUSERS group, which
includes all domain users. The only users to whom the profile will actually apply are
those for which you configure the user object’s profile path.
After copying the profile to the network, you must configure the profile path for the
users to whom the profile will apply. Windows Server 2003 simplifies this task in that
you can multiselect users and change the profile path for all users simultaneously.
Type the same UNC that you used to copy the profile to the network, for example,
<server><share><group profile name>.
! Exam Tip The profile path is configured as a property of one or more user objects. It is not
assigned to a group object. Although the concept is that of a group profile, do not fall into the
trap of associating the profile with a group object itself.
Finally, because more than one user will be accessing a group profile, you must make
a group profile mandatory, as described in the following section.
Configuring a Mandatory Profile
A mandatory profile does not allow users to modify the profile’s environment. More
specifically, a mandatory profile does not maintain changes between sessions. There-
fore, although a user can make changes, the next time the user logs on, the desktop
will look the same as the last time he or she logged on. Changes do not persist.
Lesson 3 Managing User Profiles 3-39
Mandatory profiles can be helpful in situations in which you want to lock down the
desktop. They are, in a practical sense, critical when you implement group profiles
because you obviously don’t want the changes one user makes to affect the environ-
ments of other users.
To configure a profile as mandatory, simply rename a file in the root folder of the
profile. Interestingly, mandatory profiles are not configured through the application
of permissions. The file you need to rename is Ntuser.dat. It is a hidden file, so you
must ensure that you have enabled the Show Hidden Files And Folders option in the
Folder Options program in Control Panel, or use the attrib command to remove the
Hidden attribute. You might also need to configure Windows Explorer to display file
extensions.
Locate the Ntuser.dat file in the profile you wish to make mandatory. Rename the file
to Ntuser.man. The profile, whether roaming or local, is now mandatory.
Practice: Managing User Profiles
In this practice, you will create roaming and preconfigured roaming user profiles and
mandatory group profiles. You will log on and log off a number of times. Because
standard user accounts are not allowed to log on locally to a domain controller, you
will begin by adding users to the Print Operators group, so that those users can log
on successfully.
Exercise 1: Configure Users to Log On to the Domain Controller
In the real world, you would rarely want users to have permission to log on locally to
a domain controller; however, in our one-system test environment, this capability is
important. Although there are several ways to achieve this goal, the easiest is to add the
Domain Users group to the Print Operators group. The Print Operators group has the
right to log on locally.
1. Open Active Directory Users And Computers.
2. In the tree pane, select the Builtin container.
3. Open the Properties of the Print Operators group.
4. Use the Members tab to add Domain Users to the group.
Exercise 2: Create a Profiles Share
1. Create a Profiles folder on the C drive.
2. Right-click the Profiles folder and choose Sharing and Security.
3. Click the Sharing tab.
4. Share the folder with the default share name: Profiles.
3-40 Chapter 3 User Accounts
5. Click the Permissions button.
6. Select the check box to allow Full Control.
7. Click OK.
Security Alert Windows Server 2003 applies a limited share permission by default when
creating a share. Most organizations follow the best practice, which is to allow Full Control as
a share permission, and to apply specific NTFS permissions to the ACL of the folder using the
Security tab of the folder’s properties dialog box. However, in the event that an administrator
has not locked down a resource before sharing it, Windows Server 2003 errs in favor of secu-
rity, using a share permission that allows Read-Only access.
Exercise 3: Create a User Profile Template
1. Create a user account that will be used solely for creating profile templates. Use
the following guidelines when creating the account:
Text Box Name Type
First Name Profile
Last Name Account
User Logon Name: Profile
User Logon Name (Pre-Windows 2000): Profile
2. Log off of Server01.
3. Log on as the Profile account.
4. Customize the desktop. You might create shortcuts to local or network resources
such as creating a shortcut to the C drive on the desktop.
5. Customize the desktop using the Display application in Control Panel. On the
Desktop page of the Display Properties dialog box, you can configure the desktop
background and, by clicking Customize Desktop, add the My Documents, My
Computer, My Network Places, and Internet Explorer icons to the desktop.
6. Log off as the Profile account.
Exercise 4: Set Up a Preconfigured User Profile
1. Log on as Administrator.
2. Open System Properties from Control Panel by double-clicking System.
3. Click the Advanced tab.
4. In the User Profiles frame, click Settings. This opens the Copy To dialog box.
Lesson 3 Managing User Profiles 3-41
5. Select the Profile account’s user profile.
6. Click Copy To.
7. In the Copy Profile To frame, type server01profileshcarbeck.
8. In the Permitted To Use section, click Change.
9. Type Hank and click OK.
10. Confirm the entries in the Copy To dialog box and click OK.
11. After the profile has copied to the network, click OK twice to close the User Pro-
files and System Properties dialog boxes.
12. Open the C:Profiles folder to verify that the profile folder “Hcarbeck” was created.
13. Open Active Directory Users And Computers and, in the tree pane, select the
Employees OU.
14. Open the properties of Hank Carbeck’s user object.
15. Click the Profile tab.
16. In the Profile Path field, type server01profiles%username%.
17. Click Apply and confirm that the %Username% variable was replaced by hcarbeck.
It is important that the profile path match the actual network path to the profile
folder.
18. Click OK.
19. Test the success of the preconfigured roaming user profile by logging off and log-
ging on with the user name hank.carbeck@contoso.com. You should see the desk-
top modifications that you made while logged on as the Profile account.
Exercise 5: Set Up a Preconfigured, Mandatory Group Profile
1. Log on as Administrator.
2. Open System Properties from Control Panel by double-clicking System.
3. Click the Advanced tab.
4. In the User Profiles frame, click Settings.
5. Select the Profile account’s user profile.
6. Click Copy To.
7. In the Copy Profile To frame, type server01profilessales.
8. In the Permitted To Use frame, click Change.
9. Type Users and then click OK.
10. Confirm the entries in the Copy To dialog box and then click OK.
3-42 Chapter 3 User Accounts
11. After the profile has copied to the network, click OK twice to close the User Pro-
files and System Properties dialog boxes.
12. Open the C:Profiles folder to verify that the profile folder Sales was created.
13. Open Folder Options in Control Panel and, in the View tab, under Advanced Set-
tings, ensure that the option, Show Hidden Files And Folders, is selected.
14. Open the C:ProfilesSales folder and rename the file Ntuser.dat to Ntuser.man.
This makes the profile mandatory.
15. Open Active Directory Users And Computers and, in the tree pane, select the
Employees OU.
16. In the details pane, select the following objects by clicking the first and pressing
the CTRL key while selecting additional objects: Scott Bishop, Danielle Tiedt, Lor-
rin Smith-Bates.
17. Click the Action menu and choose Properties.
18. Click the Profile tab, and then select the Profile Path check box.
19. In the Profile Path field, type server01profilessales.
20. Click OK.
21. Test the success of the preconfigured roaming user profile by logging off and log-
ging on with the user name danielle.tiedt@contoso.com.
22. Test the mandatory nature of the profile by making a change to the desktop
appearance. You will be able to make the change, but the change will not persist
to future sessions.
23. Log off the computer, and then log on again as Danielle Tiedt. Because the profile
is mandatory, the changes you made in the previous step should not appear.
24. Log off the computer, and log on again as Scott Bishop, with user name
scott.bishop@contoso.com. The same desktop should appear.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. Describe how a user’s desktop is created when RUPs are not implemented.
Lesson 3 Managing User Profiles 3-43
2. Arrange, in order, the steps that reflect the creation of a preconfigured roaming
user profile. Use all steps provided.
❑ Customize the desktop and user environment.
❑ Log on as a user with sufficient permissions to modify user account proper-
ties.
❑ Copy the profile to the network.
❑ Create a user account so that the profile can be created without modifying
any user’s current profile.
❑ Log on as the profile account.
❑ Enter the UNC path to the profile in a user’s Profile property sheet.
❑ Log on as a local or domain administrator.
3. How do you make a profile mandatory?
a. Configure the permissions on the folder’s Security property sheet to deny
write permission.
b. Configure the permissions on the folders Sharing property sheet to allow only
read permission.
c. Modify the attributes of the profile folder to specify the Read Only attribute.
d. Rename Ntuser.dat to Ntuser.man.
Lesson Summary
■ Windows Server 2003 provides individual profiles for each user who logs on to the
system. Profiles are stored, by default, on the local system in %Systemdrive%
Documents and Settings%Username%.
■ Roaming profiles require only a shared folder and the profile path configured in
the user object’s properties.
■ Preconfigured profiles are simply profiles that are copied to the profile path before
the profile path is configured in the user object.
■ Group profiles must be made mandatory, by renaming Ntuser.dat to Ntuser.man,
so that changes made by one user do not affect other users.
3-44 Chapter 3 User Accounts
Lesson 4: Securing and Troubleshooting Authentication
After you have configured user objects, and users are authenticating against those
accounts, you expose yourself to two additional challenges: security vulnerabilities,
which if unaddressed could compromise the integrity of your enterprise network; and
social engineering challenges, as you work to make the network, and authentication in
general, friendly and reliable for users. Unfortunately, these two dynamics are at odds
with each other—the more secure a network, the less usable it becomes. In this lesson,
we will address issues related to user authentication. You will learn the impact of
domain account policies, including password policies and account lockout policies.
You will also learn how to configure auditing for logon-related events, and to perform
various authentication-related tasks on user objects.
After this lesson, you will be able to
■ Identify domain account policies and their impact on password requirements and
authentication
■ Configure auditing for logon events
■ Modify authentication-related attributes of user objects
Estimated lesson time: 15 minutes
Securing Authentication with Policy
Active Directory on Windows Server 2003 supports security policies to strengthen pass-
words and their use within an enterprise. Of course, you must design a password pol-
icy that is sufficiently daunting to attackers while being sufficiently convenient for
users, so that they do not forget passwords (resulting in increased calls to the help
desk) or, worse, write down their passwords.
A system running Windows Server 2003 as a member server maintains a policy related
to its local user accounts. The local security policy can be managed using the appro-
priately named snap-in: Local Security Policy.
You will more often be concerned with the policy that affects domain user objects.
Domain account policy is managed by the Default Domain Policy. To examine and
modify this policy, do one of the following:
■ Open Domain Security Policy from the Administrative Tools folder.
■ Open the Group Policy Management Console (GPMC), expand the Group Policy
Objects node within the domain, right-click the Default Domain Policy GPO, and
choose Edit.
Lesson 4 Securing and Troubleshooting Authentication 3-45
■ If the GPMC is not installed, open the Active Directory Users And Computers MMC
console or snap-in. Select the domain node and choose Properties from the Action
menu or the shortcut menu. Click the Group Policy tab. Select Default Domain
Policy and click Edit.
The Group Policy Object Editor console opens, focused on the Default Domain pol-
icy. Navigate to Computer Configuration, Windows Settings, Security Settings,
Account Policies.
Password Policy
The domain password policies enable you to protect your network against password
compromise by enforcing best-practice password management techniques. The poli-
cies are described in Table 3-5.
Table 3-5 Password Policies
Policy Description
Enforce Password History When this policy is enabled, Active Directory maintains a list of
recently used passwords and will not allow a user to create a pass-
word that matches a password in that history. The result is that a
user, when prompted to change his or her password, cannot use
the same password again, and therefore cannot circumvent the
password lifetime. The policy is enabled by default, with the maxi-
mum value of 24. Many IT organizations use a value of 6 to 12.
Maximum Password Age This policy determines when users will be forced to change their
passwords. Passwords that are unchanged or infrequently changed
are more vulnerable to being cracked and used by attackers to
impersonate a valid account. The default value is 42 days. IT orga-
nizations typically enforce password changes every 30 to 90 days.
Minimum Password Age When users are required to change their passwords—even when a
password history is enforced—they can simply change their pass-
words several times in a row to circumvent password requirements
and return to their original passwords. The Minimum Password Age
policy prevents this possibility by requiring that a specified number
of days must pass between password changes. Of course, a pass-
word can be reset at any time in Active Directory by an administra-
tor or support person with sufficient permissions. But the user
cannot change his or her password more than once during the time
period specified by this setting.
Minimum Password This policy specifies the minimum number of characters required in
Length a password. The default in Windows Server 2003 is seven.
3-46 Chapter 3 User Accounts
Table 3-5 Password Policies
Policy Description
Passwords Must Meet This policy enforces rules, or filters, on new passwords.
Complexity Requirements The default password filter in Windows Server 2003 (passfilt.dll)
requires that a password:
Is not based on the user’s account name.
Is at least six characters long.
Contains characters from three of the following four character
types:
Uppercase alphabet characters (A…Z)
Lowercase alphabet characters (a…z)
Arabic numerals (0…9)
Nonalphanumeric characters (for example, !$#,%)
Windows Server 2003 enables this policy by default.
Note Configuring password length and complexity requirements does not affect existing
passwords. These changes will affect new accounts and changed passwords after the policy
is applied.
Account Lockout Policy
Account lockout refers, in its broadest sense, to the concept that after several failed
logon attempts by a single user, the system should assume that an attacker is attempt-
ing to compromise the account by discovering its password and, in defense, should
lock the account so no further logons may be attempted. Domain account lockout pol-
icies determine the limitations for invalid logons, expressed in a number of invalid
logons in a period of time, and the requirements for an account to become unlocked,
whether by simply waiting or by contacting an administrator. Table 3-6 summarizes
Account Lockout policies.
Table 3-6 Account Lockout Policies
Policy Description
Account Lockout This policy configures the number of invalid logon attempts that will
Threshold trigger account lockout. The value can be in the range of 0 to 999. A
value that is too low (as few as three, for example) might cause lockouts
due to normal, human error at logon. A value of 0 will result in accounts
never being locked out.
The lockout counter is not affected by logons to locked workstations.
Lesson 4 Securing and Troubleshooting Authentication 3-47
Table 3-6 Account Lockout Policies
Policy Description
Account Lockout This policy determines the period of time that must pass after a lockout
Duration before Active Directory will automatically unlock a user’s account. The
policy is not set by default because it is useful only in conjunction with
the Account Lockout Threshold policy. The policy accepts values rang-
ing from 0 to 99999 minutes, or about 10 weeks. A value of 0 will
require the user to contact appropriate administrators to unlock the
account manually. Although a value of 0 sounds secure and is often
touted as a best practice, it is in fact not recommended because it pro-
vides attackers the ability to cause Denial Of Service (DoS) failures by
locking out service, user, or computer accounts. Instead, a low setting (5
to 15 minutes) is sufficient to reduce account attacks significantly with-
out allowing lengthy DoS and without unreasonably affecting legitimate
users who are mistakenly locked out.
Reset Account This setting specifies the time that must pass after an invalid logon
Lockout Counter attempt before the counter resets to zero. The range is 1 to 99999 min-
After utes, and must be less than or equal to the account lockout duration.
Cross-Platform Issues
Organizations commonly implement a mix of directory service, server, and client
platforms. In environments in which Windows 95, Windows 98, Windows Me, or
Windows NT 4 participate in an Active Directory domain, administrators need to
be aware of several issues.
■ Passwords: Although Windows 2000, Windows XP Professional, and Windows
Server 2003 support 127-character passwords, Windows 95, Windows 98, and
Windows ME support only 14-character passwords.
■ Active Directory Client: The Active Directory Client can be downloaded from
Microsoft’s Web site and installed on Windows 95, Windows 98, Windows Me, and
Windows NT 4 systems. It enables those platforms running previous editions of
Windows to participate in many Active Directory features available to Windows
2000 Professional or Windows XP Professional, including the following:
❑ Site-awareness: a system with the Active Directory Client will attempt to log
on to a domain controller in its site, rather than to any domain controller in
the enterprise.
❑ Active Directory Service Interfaces (ADSI): use scripting to manage Active
Directory.
3-48 Chapter 3 User Accounts
❑ Distributed File System (DFS): access DFS shared resources on servers run-
ning Windows 2000 and Windows Server 2003.
❑ NT LAN Manager (NTLM) version 2 authentication: use the improved authen-
tication features in NTLM version 2.
❑ Active Directory Windows Address Book (WAB): property pages
❑ Active Directory search capability integrated into the Start–Find or Start–Search
commands.
The following functionalities, supported on Windows 2000 Professional and Windows
XP Professional, are not provided by the Active Directory client on Windows 95,
Windows 98, and Windows NT 4:
■ Kerberos V5 authentication
■ Group Policy or Change and Configuration Management support
■ Service principal name (SPN), or mutual authentication.
In addition, you should be aware of the following issues in mixed environments:
■ Without the Active Directory client, users on systems using versions of Windows
earlier than Windows 2000 can change their password only if the system has
access to the domain controller performing the single master operation called pri-
mary domain controller (PDC) emulator. To determine which system is the PDC
emulator in a domain, open Active Directory Users And Computers, select the
domain node, choose the Operations Masters command from the Action menu,
and then click the PDC tab. If the PDC emulator is unavailable (that is, if it is
offline or on the distant side of a downed network connection), the user cannot
change his or her password.
■ As you have learned in this chapter, user objects maintain two user logon name
properties. The Pre-Windows 2000 logon name, or SAM name, is equivalent to the
user name in Windows 95, Windows 98, or Windows NT 4. When users log on,
they enter their user name and must select the domain from the Log On To box.
In other situations, the user name may be entered in the format <DomainName>
<UserLogonName>.
Users logging on using Windows 2000 or later platforms may log on the same way, or
they may log on using the more efficient UPN. The UPN takes the format <UserLogon
Name>@<UPN Suffix>, where the UPN suffix is, by default, the DNS domain name in
which the user object resides. It is not necessary to select the domain from the Log On To
box when using UPN logon. In fact, the box becomes disabled as soon as you type the
“@” symbol.
Lesson 4 Securing and Troubleshooting Authentication 3-49
Auditing Authentication
If you are concerned that attacks might be taking place to discover user passwords, or
to troubleshoot authentication problems, you can configure an auditing policy that will
create entries in the Security log that might prove illuminating.
Audit Policies
The following policies are located in the Computer Configuration, Windows Settings,
Security Settings, Local Policies, Audit Policy node of Group Policy Object Editor (or
the Local Security Policy snap-in). You can configure auditing for successful or failed
events.
■ Audit Account Management Configures auditing of activities, including the
creation, deletion, or modification of user, group, or computer accounts. Password
resets are also logged when account management auditing is enabled.
■ Audit Account Logon Events This policy audits each instance of user logon
that involves domain controller authentication. For domain controllers, this policy
is defined in the Default Domain Controllers GPO. Note, first, that this policy will
create a Security log entry on a domain controller each time a user logs on inter-
actively or over the network using a domain account. Second, remember that to
evaluate fully the results of the auditing, you must examine the Security logs on all
domain controllers because user authentication is distributed among each domain
controller in a site or domain.
■ Audit Logon Events Logon events include logon and logoff, interactively or
through network connection. Account logon events are generated on the local
computer for local accounts and on the domain controller for network accounts,
whereas logon events are generated wherever the logon occurs. If you have
enabled Audit Logon Events policy for successes on a domain controller, worksta-
tion logons will not generate logon audits. Only interactive and network logons to
the domain controller itself generate logon events.
Tip Keep track of the distinction between Account Logon and Logon events. When a user
logs on to his or her workstation using a domain account, the workstation registers a Logon
event and the domain controller registers an Account Logon event. When the user connects to
a network server’s shared folder, the server registers a Logon event and the domain controller
registers an Account Logon event.
3-50 Chapter 3 User Accounts
Security Event Log
After you have configured auditing, the security logs will begin to fill with event mes-
sages. You can view these messages by selecting the Security log in the Event Viewer
snap-in and then double-clicking the event.
! Exam Tip Remember that you will need to monitor Account Logon events on each domain
controller to determine if and when a user attempts to log on using a domain account. You
must monitor Logon events on systems to determine if and when a user attempts to log on to
or connect to those systems using either a domain or local account.
Administering and Troubleshooting User Authentication
When users forget their passwords, are transferred or terminated, you will have to
manage their user objects appropriately. The most common administrative tasks related
to user account security are unlocking an account, resetting a password, disabling,
enabling, renaming, and deleting user objects.
Unlocking a User Account
The account lockout policy requires that when a user has exceeded the limit for invalid
logon attempts, the account is locked and no further logons can be attempted for a
specified period of time or until an administrator has unlocked the account. If a user
account is locked out, the user will receive a specific error message at logon, as shown
in Figure 3-7.
f03nw07
Figure 3-7 Logon message indicating the user’s account is locked out
To unlock a user’s account, select the user object and, from the Action menu, choose
Properties. Click the Account tab and clear the check box: Account Is Locked Out.
Lesson 4 Securing and Troubleshooting Authentication 3-51
Resetting User Passwords
If a user forgets his or her password, the user will receive a logon message, as shown
in Figure 3-8. You must reset the password. You do not need to know the user’s old
password to do so. Simply select the user object and, from the Action menu or the
shortcut menu, choose the Reset Password command. Enter the new password twice to
confirm the change, and as a security best practice, select the User Must Change Pass-
word At Next Logon option.
f03nw08
Figure 3-8 Logon message indicating the username or password is invalid
Tip A few days prior to a user’s password expiration, the user will begin to be notified that
the password should be changed. If the user does not heed the notifications or does not
receive them because the user is not connected to the network or is out of the office, the
password will expire. After a password has expired, if the user is unable to log on, the user
will not be able to change his or her password. In such an event an administrator must reset
the user’s password. Again, a best practice is to select the User Must Change Password At
Next Logon option.
Disabling, Enabling, Renaming, and Deleting User Objects
Personnel changes might require you to disable, enable, or rename a user object. The
process for doing so is similar for each action. Select the user and, from the Action
menu, choose the appropriate command, as follows:
■ Disabling And Enabling A User When a user does not require access to the
network for an extended period of time, you should disable the account. Reenable
the account when the user needs to log on once again. Note that only one of the
commands to Disable or Enable will appear on the Action menu depending on the
current status of the object.
3-52 Chapter 3 User Accounts
If a user attempts to log on when his or her account is disabled, the user will
receive the error message shown in Figure 3-9.
f03nw09
Figure 3-9 Logon message indicating the user’s account is disabled
■ Deleting A User When a user is no longer part of your organization, and there
will not soon be a replacement, delete the user object. Remember that by deleting
a user, you lose its group memberships and, by deleting the SID, its rights and per-
missions. If you recreate a user object with the same name, it will have a different
SID, and you will have to reassign rights, permissions, and group memberships.
■ Renaming A User You will rename a user if a user changes his or her name,
for example through marriage, or in the event that a user is no longer part of
your organization, but you are replacing that user and you want to maintain the
rights, permissions, group memberships, and most of the user properties of the
previous user.
If a user attempts to log on to an account that has been deleted or renamed, the
user will be logging on with an invalid user name. The error message the user
receives, shown in Figure 3-8, is the same message displayed if the user enters an
invalid password.
! Exam Tip Be certain to understand the difference between disabling and deleting an
object; and between enabling and unlocking a user.
It is also possible that user or computer account configuration in Active Directory
might prevent a user from logging on. The following sections address common authen-
tication troubleshooting scenarios.
Lesson 4 Securing and Troubleshooting Authentication 3-53
Modifying Account Expiration
If a user account has expired, the user will receive a logon message that says, “Your
account has expired. Please see your system administrator.” You may reactivate the
account by opening the user’s Properties dialog box and clicking the Account tab,
shown in Figure 3-4. In the Account Expires section, either select Never to indicate that
the user account will not expire or configure an expiration date in the future.
Changing or Removing Computer Restrictions
Computer restrictions, introduced in Lesson 1, limit the computers to which a user may
log on. By default, users may log on to any workstation in the domain. They can be
restricted by clicking the Log On To button in the Account tab of the user Properties
dialog box, shown in Figure 3-4. If a user who has computer restrictions configured
attempts to log on to a computer that is not allowed by computer restrictions, the user
will receive the message illustrated in Figure 3-10. To troubleshoot this scenario, do
one of the following:
■ Instruct the user to log on to an allowed workstation.
■ Add the workstation to the user’s list of allowed workstations. In the user’s Prop-
erties dialog box, click Log On To and add the workstation name.
■ Remove all computer restrictions by clicking the Log On To button in the user’s
Account properties page and select All Computers, as shown in Figure 3-11. This
will ensure that the user account allows the user to log on to any client computer
on the network.
f03nw10
Figure 3-10 Logon message indicating the user is restricted from logging on to the computer
3-54 Chapter 3 User Accounts
f03nw11
Figure 3-11 Computer restrictions dialog box
Granting the User Right to Log On Locally
The user’s ability to log on to a system is also subject to the system’s user rights assign-
ment security policy that allows local, or interactive, logon. By default, the local Users
group, which includes Domain Users, is allowed the right to log on locally to all mem-
ber servers and workstations but not to domain controllers. Therefore, users should be
able to log on to any member server or workstation in the domain. If this default has
been modified, a user might not have the right to log on locally to a computer. The
user will receive a logon message, as shown in Figure 3-12.
f03nw12
Figure 3-12 Logon message indicating the user does not have the right to log on locally
To solve this problem, ensure that the appropriate groups have the right to log on
locally to the computer. To examine the computer’s security policies, open the Local
Security Policy MMC console from the Administrative Tools program group if the com-
puter is a member server or workstation—or the Domain Controller Security Policy if
Lesson 4 Securing and Troubleshooting Authentication 3-55
the computer is a domain controller. Expand Local Policies and select User Rights
Assignment. The policy is called Log On Locally on a Windows XP system and Allow
Log On Locally on a Windows Server 2003 system.
It is also possible that a GPO has configured the right to log on locally. The analysis of
GPO application using Resultant Set of Policies (RSoP) is beyond the scope of this
book, so consult the Windows Help And Support Center to learn how to use RSoP to
identify which GPO you must modify to enable the user to log on locally.
Managing User Logon Hours
You can configure a user account to permit or deny logon during a particular time
period using the Logon Hours button on the user’s Account properties page, shown in
Figure 3-4. If a user attempts to log on to a system when logon is denied, the user
receives an error message, as shown in Figure 3-13. The user will not be able to log on
to a computer during denied hours.
f03nw13
Figure 3-13 Logon message indicating that the user is logging on outside of permitted logon hours
If the user is already logged on to a system when his or her logon hours expire, the
user is not forced off the system. There is no capability native to Windows operating
systems to force a user to log off a system to which the user is logged on.
However, it is possible, using security policies, to disconnect a user from network
resources when the user’s logon hours expire. The result of this configuration is that,
when logon hours expire, the user can no longer access resources on member servers
or workstations in the domain but is able to continue working on the local system.
To forcibly disconnect a user from network resources, enable the policy setting: Net-
work Security: Force Logoff When Logon Hours Expire. This policy setting is found in
the Local Policies Security Options node of a GPO. It is recommended to configure
this policy in a GPO with domain-wide scope, such as the Default Domain Policy GPO,
which you can open using the Domain Security Policy MMC console in the Adminis-
trative Tools folder.
3-56 Chapter 3 User Accounts
Preventing Users from Logging On with Cached Credentials
When a user logs on successfully to a Windows operating system, the computer caches
the user’s credentials (including the user’s username and password). This allows the
user to log on even if the computer cannot contact a domain controller, which has
obvious value for laptop users who work offline. In certain environments, or on certain
systems, you might wish to prevent users from logging on with cached credentials—in
other words, require their computers to be connected to the network and to be able to
contact a domain controller. To achieve this configuration, enable the security policy:
Interactive Logon: Number Of Previous Logons To Cache. You can find this policy in
the Computer Configuration Windows Settings Security Settings Local Policies
Security Options node of a GPO.
Practice: Securing and Troubleshooting Authentication
In this practice, you will configure domain auditing policies. You will then generate
logon events. Finally, you will examine and troubleshoot the results of those logons.
Exercise 1: Configure Policies
1. Open Active Directory Users And Computers.
2. Select the domain node, contoso.com.
3. From the Action menu, choose Properties.
4. On the Group Policy tab, select Default Domain Policy and then click Edit.
5. Navigate to Computer Configuration, Windows Settings, Security Settings, Account
Policies, and, finally, Account Lockout Policy.
6. Double-click the Account Lockout Duration policy.
7. Select the Define This Policy Setting check box.
8. Type 0 for the duration, and then click Apply.
The system will prompt you that it will configure the account lockout threshold
and reset counter policies. Click OK.
9. Click OK to confirm the settings, and then click OK to close the Policy dialog box.
10. Confirm that the Account Lockout Duration policy is zero, the threshold is 5, and
the reset counter policy is 30 minutes.
11. Close the Group Policy Object Editor window.
12. Click OK to close the Properties dialog box for the contoso.com domain.
13. Select the Domain Controllers container, under the domain node.
14. From the Action menu, click Properties.
Lesson 4 Securing and Troubleshooting Authentication 3-57
15. On the Group Policy tab, select Default Domain Controllers Policy and click Edit.
16. Navigate to Computer Configuration, Windows Settings, Security Settings, Local
Policies, and, finally, Audit Policy.
17. Double-click the Audit Account Logon Events policy.
18. Select Define These Policy Settings, select both Success and Failure, and then
click OK.
19. Double-click the Audit Logon Events policy.
20. Select Define These Policy Settings, select both Success and Failure, and then
click OK.
21. Double-click the Audit Account Management policy.
22. Select Define These Policy Settings, select Success, and then click OK.
23. Close the Group Policy Object Editor window.
24. Click OK to close the Properties dialog box for the Domain Controllers Properties
dialog box.
Exercise 2: Generate Logon Events
1. Log off Server01.
2. Generate two logon failure events by attempting to log on twice with the user-
name sbishop and an invalid password.
3. Log on correctly as sbishop.
4. Log off.
Exercise 3: Generate Account Management Events
1. Log on as Administrator.
2. Open Active Directory Users And Computers.
3. In the tree pane, navigate to and select the Employees OU.
4. In the details pane, select Scott Bishop’s user object, and then click the Action
menu.
5. Click the Reset Password command.
6. Enter and confirm a new password for Scott Bishop, and then click OK.
Exercise 4: Examine Authentication Security Event Messages
1. Open the Computer Management console from the Administrative Tools group.
2. Expand Event Viewer and select Security.
3-58 Chapter 3 User Accounts
3. Make sure the Category column is wide enough that you can identify the types of
events that are logged.
4. Explore the events that have been generated by recent activity. Note the failed
logons, the successful logons, and the resetting of Scott Bishop’s password.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. You enable the password complexity policy for your domain. Describe the
requirements for passwords, and when those requirements will take effect.
2. To monitor potential dictionary attacks against user passwords in your enterprise,
what is the single best auditing policy to configure, and what log or logs will you
evaluate?
3. A user has forgotten his or her password and attempts to log on several times with
an incorrect password. Eventually, the user receives a logon message indicating
that the account is either disabled or locked out. The message suggests that the
user contact an administrator. What must you do? (Choose all that apply.)
a. Delete the user object and recreate it.
b. Rename the user object.
c. Enable the user object.
d. Unlock the user object.
e. Reset the password for the user object.
Lesson Summary
■ The Default Domain Policy drives account policies, including the password and
lockout policies.
■ The Default Domain Controllers Policy specifies key auditing policies for domain
controllers.
Chapter 3 User Accounts 3-59
■ Auditing for authentication generates events in each domain controller’s secu-
rity logs.
Case Scenario Exercise
One of Contoso’s competitors recently made the news as a recent victim of a breach of
password security that exposed its sensitive data. You decide to audit Contoso’s secu-
rity configuration and you set forth the following requirements:
■ Requirement 1: Because you upgraded your domain controllers from Windows
2000 Server to Windows Server 2003, the domain account policy remained that of
Windows 2000 Server. The domain account policies shall require:
❑ Password changes every 60 days
❑ 8-character passwords
❑ Password complexity
❑ Minimum password duration of one week
❑ Password history of 20 passwords
❑ Account lockout after five invalid logon attempts in a 60-minute period
❑ Administrator intervention to unlock locked out accounts
■ Requirement 2: In addition, ensure that these policies take effect within 24 hours.
Password policies are implemented when a user changes his or her password—
the policies do not affect existing passwords. So you require that users change
their passwords as quickly as possible. You do not want to affect accounts used
by services. Service accounts are stored in Contoso’s Service Accounts OU. User
accounts are stored in the Employees OU and 15 OUs located under the
Employees OU.
■ Requirement 3: Lock down the desktops of the sales representatives so that they
are less likely to install customized Web toolbars, weather watchers, wallpaper-of-
the-day utilities, or other software that might connect to the Internet and expose
the desktop to attack.
Requirement 1
The first requirement involves modifying password and account lockout settings.
1. What should be modified to achieve Requirement 1?
a. The domain controller security template Hisecdc.inf
b. The Default Domain policy
3-60 Chapter 3 User Accounts
c. The Default Domain Controller policy
d. The domain controller security template Setup Security.inf
2. To configure account lockout so that users must contact the Help Desk to unlock
their accounts, which policy should be specified?
a. Account lockout duration: 999
b. Account lockout threshold: 999
c. Account lockout duration: 0
d. Account lockout threshold: 0
Configure the appropriate domain policies. For guidance, refer to Lesson 4, Exercise 1.
Requirement 2
Requirement 2 indicates that you want to force users to change their password as
quickly as possible. You know that user accounts include the flag User Must Change
Password At Next Logon.
1. What will be the fastest and most effective means to configure user accounts to
require a password change at the next logon?
a. Select a user account. Open its properties and, on the Account page, select
User Must Change Password At Next Logon. Repeat for each user account.
b. Press CTRL+A to select all users in the Employees OU. Choose the Properties
command and, on the Account page, select User Must Change Password At
Next Logon. Repeat for each OU.
c. Use the Dsadd command.
d. Use the Dsrm command.
e. Use the Dsquery and Dsmod commands.
2. The Dsquery command allows you to create a list of objects based on those
objects’ locations or properties and pipe those objects to the Dsmod command,
which then modifies the objects. Open a command prompt and type the following
command:
DSQUERY user “OU=Employees,DC=Contoso,DC=Com”
The command will produce a list of all user objects in the Employees OU. An
advantage of this command is that it would include users in sub-OUs of the
Employees OU. The requirement indicates that you have 15 OUs under the
Employees OU. All would be included in the objects generated by Dsquery.
Now, to meet the requirement, type the following command:
DSQUERY user “OU=Employees,DC=Contoso,DC=Com” | DSMOD user -mustchpwd yes
Chapter 3 User Accounts 3-61
Requirement 3
This requirement suggests that you modify the user profiles of the sales representatives.
1. What type of profile will be most useful to maintain a locked-down desktop com-
mon to all sales representatives?
a. Local profile
b. Local, mandatory profile
c. The All Users profile
d. Preconfigured roaming group profile
e. Preconfigured roaming mandatory group profile
2. In Lesson 3, Exercise 5, you created a profile called Sales. You made it a manda-
tory profile by renaming Ntuser.dat to Ntuser.man. Finally, you assigned it to sev-
eral users. How can you ensure that each new sales representative uses the same
profile?
Troubleshooting Lab
In this lab, you will generate several types of logon and account-related failures. You
will then identify the causes of those failures and correct them accordingly.
Before proceeding with this lab, you must have user accounts created. The user
accounts mentioned in the lab are those generated in Lesson 2, Exercise 3. You must
also have configured the domain account policies as in Lesson 4, Exercise 1.
Exercise 1: Generate Logon and Account Failures
1. Log off Server01.
2. Generate an account lockout by logging on six times with the username lsmith-
bates and an invalid password. Notice the difference between the Logon Mes-
sages you receive after the attempts and the Logon Message you receive after the
account has been locked out.
3. Log on as Danielle Tiedt with username dtiedt.
4. Press CTRL+ALT+DELETE and change the password to a new password.
5. Press CTRL+ALT+DELETE and try to change the password to the original password.
Is it possible? Why or why not?
6. Try to change the password to yet another new password. Is that possible? Why or
why not?
7. Log off.
3-62 Chapter 3 User Accounts
Exercise 2: Monitor and Identify Logon and Account Management Events
1. Log on as Administrator.
2. Open the Computer Management console from the Administrative Tools group.
3. Expand the Event Viewer and select Security.
4. Make sure the Category column is wide enough that you can identify the types of
events that are logged.
5. Explore the events that have been generated by recent activity. Notice the failed
logon attempts, the lockout, and the attempts to reset Danielle Tiedt’s password.
Exercise 3: Correct Authentication and Account Problems
1. Open Active Directory Users And Computers.
2. In the tree pane, navigate to and select the Employees OU.
3. In the details pane, select Danielle Tiedt’s user object.
4. From the Action menu, click Reset Password.
5. Type Danielle Tiedt’s original password as the new password. Why are you able
to change the password when, while logged on as Danielle Tiedt, you could not?
6. Select Lorrin Smith-Bates’s user object.
7. From the Action menu, click Properties.
8. In the Account tab, clear the Account Is Locked Out check box.
9. Click OK.
Chapter Summary
■ You must be a member of the Enterprise Admins, Domain Admins, or Account
Operators groups, or you must have been delegated administrative permissions to
create user objects.
■ User objects include the properties typically associated with a user “account,”
including logon names and password and the unique SID for the user. They also
include a number of properties related to the individuals they represent, including
personal information, group membership, and administrative settings. Windows
Server 2003 allows you to change some of these properties for multiple users
simultaneously.
■ A user object template is an object that is copied to produce new users. If the tem-
plate is not a “real” user, it should be disabled. Only a subset of user properties is
copied from templates.
Chapter 3 User Accounts 3-63
■ The Csvde command enables you to import directory objects from a comma-
delimited text file.
■ Windows Server 2003 supports powerful new command-line tools to create, man-
age, and delete directory objects: Dsquery, Dsget, Dsadd, Dsmove, Dsmod, and
Dsrm. Frequently, Dsquery will produce a result set of objects that can be piped
as input to other commands.
■ Windows Server 2003 provides individual profiles for each user who logs on to the
system. Profiles are stored, by default, on the local system in %Systemdrive%
Documents and Settings%Username%.
■ Roaming profiles require only a shared folder, and the profile path configured in
the user object’s properties.
■ Preconfigured profiles are simply profiles that are copied to the profile path before
the profile path is configured in the user object.
■ Group profiles must be made mandatory, by renaming Ntuser.dat to Ntuser.man,
so that changes made by one user do not affect other users.
■ The Default Domain Policy drives account policies, including the password and
lockout policies, whereas the Default Domain Controllers Policy specifies key
auditing policies for domain controllers.
■ Auditing for authentication generates events in each domain controller’s security
logs.
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice and review the “Further Readings” sections in Part 2 for pointers to more informa-
tion about topics covered by the exam objectives.
Key Points
■ The group memberships or permissions, or both, required to create user accounts.
■ The options at your disposal for creating or managing multiple user accounts: user
templates, importing, and command-line utilities. Understand the differences
among the options, and the relative strengths and weaknesses of each option.
■ The properties that can be accessed or modified, or both, when creating a user,
modifying a user in Active Directory Users And Computers, copying a template,
querying with Dsquery, or adding and modifying users with Dsadd and Dsmod.
■ The process for configuring a roaming user profile, a preconfigured roaming user
profile, or a preconfigured, mandatory group profile.
3-64 Chapter 3 User Accounts
■ The impact of Group Policy on password and account lockout settings.
■ How to audit authentication events.
Key Terms
user account template You might hear this referred to by other terms, but the idea
is the same. A template account is used as the basis for new accounts. It is copied
to create a new user, and some of its properties, most notably its group member-
ships, are copied as well.
disabled account versus locked account An account is disabled if it has expired or
if it has been disabled by an administrator. An account is locked out if it has been
subject to invalid logons beyond the threshold specified by the account lockout
policy.
mandatory profile A user profile that does not maintain modifications between ses-
sions. A user can modify a mandatory profile, but users’ changes are not saved
when they log off. Group profiles must be made mandatory, or a change made by
one user will affect all users.
Questions and Answers 3-65
Questions and Answers
Page Lesson 1 Review
3-13
1. You are using Active Directory Users And Computers to configure user objects in
your domain, and you are able to change the address and telephone number
properties of the user object representing yourself. However, the New User com-
mand is unavailable to you. What is the most likely explanation?
You do not have sufficient privileges to create a user object in the container. The snap-in’s com-
mands will adjust to reflect your administrative capabilities. If you do not have the right to cre-
ate an object, the appropriate New command will be unavailable.
2. You are creating a number of user objects for a team of your organization’s tem-
porary workers. They will work daily from 9:00 A.M. to 5:00 P.M. on a contract that
is scheduled to begin in one month and end two months later. They will not work
outside of that schedule. Which of the following properties should you configure
initially to ensure maximum security for the objects? (Choose all that apply.)
a. Password
b. Logon Hours
c. Account expires
d. Store password using reversible encryption
e. Account is trusted for delegation
f. User must change password at next logon
g. Account is disabled
h. Password never expires
The correct answers are a, b, c, f, g.
3. Which of the following properties and administrative tasks can be configured or
performed simultaneously on more than one user object? (Choose all that apply.)
a. Last Name
b. User Logon Name
c. Disable Account
d. Enable Account
e. Reset Password
f. Password Never Expires
g. User Must Change Password At Next Logon
3-66 Chapter 3 User Accounts
h. Logon Hours
i. Computer Restrictions (Logon Workstations)
j. Title
k. Direct Reports
The correct answers are c, d, f, g, h, i, j.
Page Lesson 2 Review
3-30
1. What option will be most useful to generate 100 new user objects, each of which
has identical profile path, home folder path, Title, Web Page, Company, Depart-
ment, and Manager settings?
Dsadd will be the most useful option. You can enter one command line that includes all the
parameters. By leaving the UserDN parameter empty, you can enter the users’ distinguished
names one at a time in the command console. A user object template does not allow you to
configure options including Title, Telephone Number, and Web Page. Generating a comma-
delimited text file would be time-consuming, by comparison, and would be overkill, particu-
larly when so many parameters are identical.
2. Which tool will allow you to identify accounts that have not been used for two
months?
a. Dsadd
b. Dsget
c. Dsmod
d. Dsrm
e. Dsquery
The correct answer is e.
3. What variable can be used with the Dsmod and Dsadd commands to create user-
specific home folders and profile folders?
a. %Username%
b. $Username$
c. CN=Username
d. <Username>
The correct answer is b.
4. Which tools allow you to output the telephone numbers for all users in an OU?
a. Dsadd
b. Dsget
Questions and Answers 3-67
c. Dsmod
d. Dsrm
e. Dsquery
The correct answers are b and e. Dsquery will produce a list of user objects within an OU and can
pipe that list to Dsget, which in turn can output particular properties such as phone numbers.
Page Lesson 3 Review
3-42
1. Describe how a user’s desktop is created when roaming user profiles are not
implemented.
When a user logs on to a system for the first time, the system copies the Default User profile
and creates a user-specific profile in a folder named, by default, %Systemdrive%/Documents
and Settings%Username%. The environment that the user experiences is a combination of his
or her user profile and the All Users profile.
2. Arrange, in order, the steps that reflect the creation of a preconfigured roaming
user profile. Use all steps provided.
a. Customize the desktop and user environment.
b. Log on as a user with sufficient permissions to modify user account properties.
c. Copy the profile to the network.
d. Create a user account so that the profile can be created without modifying
any user’s current profile.
e. Log on as the profile account.
f. Enter the UNC path to the profile in a user’s Profile property sheet.
g. Log on as a local or domain administrator.
1. Create a user account so that the profile can be created without modifying any user’s cur-
rent profile.
2. Log on as the profile account.
3. Customize the desktop and user environment.
4. Log on as a local or domain administrator.
5. Copy the profile to the network.
6. Log on as a user with sufficient permissions to modify user account properties.
7. Enter the UNC path to the profile in a user’s Profile property sheet.
3. How do you make a profile mandatory?
a. Configure the permissions on the folder’s Security property sheet to deny
write permission.
b. Configure the permissions on the folders Sharing property sheet to allow only
read permission.
3-68 Chapter 3 User Accounts
c. Modify the attributes of the profile folder to specify the Read Only attribute.
d. Rename Ntuser.dat to Ntuser.man.
The correct answer is d.
Page Lesson 4 Review
3-58
1. You enable the password complexity policy for your domain. Describe the
requirements for passwords and when those requirements will take effect.
The password must not be based on the user’s account name; must contain at least six char-
acters, with at least one character from three of the four categories: uppercase, lowercase, Ara-
bic numerals, and nonalphanumeric characters. The requirements will take effect immediately
for all new accounts. Existing accounts will be affected when they next change their password.
2. To monitor potential dictionary attacks against user passwords in your enterprise,
what is the single best auditing policy to configure, and what log or logs will you
evaluate?
The Audit Policy to audit Account Logon failures is the most effective policy to specify under
these circumstances. Failed logons will generate events in the Security logs of all domain con-
trollers.
3. A user has forgotten his or her password and attempts to log on several times with
an incorrect password. Eventually, the user receives a logon message indicating
that the account is either disabled or locked out. The message suggests that the
user contact an administrator. What must you do?
a. Delete the user object and recreate it.
b. Rename the user object.
c. Enable the user object.
d. Unlock the user object.
e. Reset the password for the user object.
The correct answers are d and e. Although the logon message text on Windows 2000 and ear-
lier operating system versions indicates that the account is disabled, the account is actually
locked. Windows Server 2003 displays an accurate message that the account is, in fact,
locked out. However, you can recognize the problem by examining what caused the message: a
user forgot his or her password. You must unlock the account and reset the password.
Case Scenario Exercise, Requirement 1
1. What should be modified to achieve Requirement 1?
a. The domain controller security template Hisecdc.inf
b. The Default Domain policy
Questions and Answers 3-69
c. The Default Domain Controller policy
d. The domain controller security template Ssetup Security.inf
The correct answer is b.
2. To configure account lockout so that users must contact the Help Desk to unlock
their accounts, which policy should be specified?
a. Account lockout duration: 999
b. Account lockout threshold: 999
c. Account lockout duration: 0
d. Account lockout threshold: 0
The correct answer is c.
Configure the appropriate domain policies. For guidance, refer to Lesson 4, Exercise 1.
Case Scenario Exercise, Requirement 2
1. What will be the fastest and most effective means to configure user accounts to
require a password change at the next logon?
a. Select a user account. Open its properties and, on the Account page, select
User Must Change Password At Next Logon. Repeat for each user account.
b. Press CTRL+A to select all users in the Employees OU. Choose the Properties
command and, on the Account page, select User Must Change Password At
Next Logon. Repeat for each OU.
c. Use the Dsadd command.
d. Use the Dsrm command.
e. Use the Dsquery and Dsmod commands.
The correct answer is e.
Case Scenario Exercise, Requirement 3
1. What type of profile will be most useful to maintain a locked-down desktop com-
mon to all sales representatives?
a. Local profile
b. Local, mandatory profile
c. The All Users profile
d. Preconfigured roaming group profile
e. Preconfigured roaming mandatory group profile
The correct answer is b.
3-70 Chapter 3 User Accounts
2. In Lesson 3, Exercise 5, you created a profile called Sales. You made it a manda-
tory profile by renaming Ntuser.dat to Ntuser.man. Finally, you assigned it to sev-
eral users. How can you ensure that each new sales representative uses the same
profile?
Modify the Sales Representative template account you created in Lesson 2, Exercise 1. In the
Profile tab, type the profile path: server01profilessales. Confirm the success of your work
by copying the template to create a new user account; then log on as that user. Make modifi-
cations to the desktop, log off, and log on again. The changes you made to the profile do not
persist between sessions.
4 Group Accounts
Exam Objectives in this Chapter:
■ Create and manage groups
❑ Create and modify groups by using the Microsoft Active Directory Users And
Computers MMC snap-in
❑ Identify and modify the scope of a group
❑ Manage group membership
❑ Create and modify groups by using automation
Why This Chapter Matters
Users, groups, and computers are the key objects in Active Directory directory
service because they allow workers, their managers, system administrators—any-
one using a computer on the network—to establish their identity on the network
as a security principal. Without this identification, personnel cannot gain access to
the computers, applications, and data needed to do their daily work. Although it
is true that the minimal identification required is that of a user and computer,
management of individual user security principals becomes needlessly compli-
cated unless users are organized into groups. Assigning permissions to hundreds
of users individually is not scalable; wise use of groups makes the process of cre-
ating and administering permissions much easier.
Microsoft Windows Server 2003 has two types of groups, each with three distinct
scopes. Understanding the constructions of these groups within the correct scope
ensures the best use of administrative resources when creating, assigning, and
managing access to resources. The possibilities of group construction also
depend on whether the domain or forest in which they are created is running in
the Microsoft Windows 2000 mixed, Windows 2000 native, Windows Server 2003
interim, or Windows Server 2003 domain functional level. Windows Server 2003
comes with several groups already created, or built-in. You can create as many
additional groups as you need.
Lessons in this Chapter:
■ Lesson 1: Understanding Group Types and Scopes . . . . . . . . . . . . . . . . . . . .4-3
■ Lesson 2: Managing Group Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-12
■ Lesson 3: Using Automation to Manage Group Accounts . . . . . . . . . . . . . . .4-15
4-1
4-2 Chapter 4 Group Accounts
Before You Begin
To follow and perform the practices in this chapter, you need
■ A computer designated Server01 with Windows Server 2003 installed.
■ Server01 should be a domain controller in the contoso.com domain.
Lesson 1 Understanding Group Types and Scopes 4-3
Lesson 1: Understanding Group Types and Scopes
Groups are objects that can include user, computer, and other group objects as mem-
bers. When security permissions are set for a group in the access control list (ACL) on
a resource, all members of that group receive those permissions.
Windows Server 2003 has two group types: security and distribution. Security groups
are used to assign permissions for access to network resources. Distribution groups are
used to combine users for e-mail distribution lists. Security groups can be used as an e-
mail distribution list, but distribution groups cannot be in an ACL. Proper planning of
group structure affects maintenance and scalability, especially in an enterprise environ-
ment, in which multiple organizational units (OUs), domains, or forests are involved.
Tip Although you can configure permissions for individual users and computers, doing so
should be the exception rather than the rule. The best administrative practice is to assign
permissions to groups.
After this lesson, you will be able to
■ Identify the two types of groups and their proper use
■ Identify the three types of group scope and their proper use
■ Understand the difference between groups and identities
Estimated lesson time: 15 minutes
Domain Functional Levels
In Windows Server 2003, four domain functional levels are available: Windows
2000 mixed (default), Windows 2000 native, Windows Server 2003 interim, and
Windows Server 2003.
■ Windows 2000 mixed For supporting Microsoft Windows NT 4, Windows
2000, and Windows Server 2003 domain controllers
■ Windows 2000 native For supporting Windows 2000 and Windows
Server 2003 domain controllers
■ Windows Server 2003 interim For supporting Windows NT 4 and
Windows Server 2003 domain controllers
■ Windows Server 2003 For supporting Windows Server 2003 domain
controllers
Limitations on group properties discussed in this chapter and elsewhere in this
book will refer to these domain functional levels. For more information regarding
domain functional levels, consult the Windows Help And Support Center.
4-4 Chapter 4 Group Accounts
Group Scope
Group scope defines how permissions are assigned to the group members. Windows
Server 2003 groups, both security and distribution groups, are classified into one of
three group scopes: domain local, global, and universal.
Note Although local groups are not considered part of the group scope of Windows Server
2003, they are included for completeness.
Local Groups
Local groups (or machine local groups) are used primarily for backward compatibility
with Windows NT 4. There are local users and groups on computers running Windows
Server 2003 that are configured as member servers. Domain controllers do not use local
groups.
■ Local groups can include members from any domain within a forest, from trusted
domains in other forests, and from trusted down-level domains.
■ A local group has only machinewide scope; it can grant resource permissions only
on the machine on which it exists.
Domain Local Groups
Domain local groups are used primarily to assign access permissions to global groups
for local domain resources. Domain local groups:
■ Exist in all mixed, interim, and native functional level domains and forests.
■ Are available domainwide only in Windows 2000 native or Windows Server 2003
domain functional level domains. Domain local groups function as a local group
on the domain controllers while the domain is in mixed or interim domain func-
tional level.
■ Can include members from any domain in the forest, from trusted domains in
other forests, and from trusted down-level domains.
■ Have domainwide scope in Windows 2000 native and Windows Server 2003
domain functional level domains and can be used to grant resource permission on
any computer running Windows Server 2003 within, but not beyond, the domain
in which the group exists.
Global Groups
Global groups are used primarily to provide categorized membership in domain local
groups for individual security principals or for direct permission assignment (particularly
Lesson 1 Understanding Group Types and Scopes 4-5
in the case of a mixed or interim domain functional level domain). Often, global groups
are used to collect users or computers in the same domain and share the same job, role,
or function. Global groups:
■ Exist in all mixed, interim, and native functional level domains and forests
■ Can include only members from within their domain
■ Can be made a member of machine local or domain local group
■ Can be granted permission in any domain (including trusted domains in other for-
ests and pre–Windows 2003 domains)
■ Can contain other global groups (Windows 2000 native or Windows Server 2003
domain functional level only)
Universal Groups
Universal groups are used primarily to grant access to resources in all trusted domains,
but universal groups can be used only as a security principal (security group type) in
a Windows 2000 native or Windows Server 2003 domain functional level domain.
■ Universal groups can include members from any domain in the forest.
■ In domains configured at the Windows 2000 native or Windows Server 2003
domain functional level, you can grant universal groups permissions in any
domain, including domains in other forests with which a trust exists.
Tip Universal groups can help you represent and consolidate groups that span domains
and perform common functions across the enterprise. A useful guideline is to designate
widely used groups that seldom change as universal groups.
Table 4-1 summarizes the use of Windows Server 2003 domain groups as security prin-
cipals (group type: security).
Table 4-1 Security Group Scope and Membership
Group Scope Members Can Include Group Can Be a Member of
Windows 2000 native or Windows Server 2003 domain functional level domain
Domain Local Computer accounts, users, global groups, Domain local groups in the same
and universal groups from any domain domain.
in the forest or any trusted domain.
Domain local groups from the same
domain.
4-6 Chapter 4 Group Accounts
Table 4-1 Security Group Scope and Membership
Group Scope Members Can Include Group Can Be a Member of
Global Users, computers, and global groups Global groups in same domain.
from the same domain. Domain local groups in any
domain in the forest or in any
trusting domain.
Universal Universal groups, global groups, users, Other universal groups or domain
and computers from any domain in the local groups in any domain in the
forest. forest.
Windows 2000 mixed or Windows Server 2003 interim functional level domain
Domain Local Computer accounts, users, and global Cannot be a member of any other
groups from any domain in the forest or group at these domain functional
any trusted domain. levels.
Global Only users and computers from the same Domain local groups in any
domain. domain in the forest or in any
trusting domain.
Universal Universal security groups are not available
in these domain functional levels, however
distribution groups can be created with
universal scope.
! Exam Tip Remember that global groups can contain only user, computer, and (in Windows
2000 native or Windows Server 2003 domain functional level) other global groups from the
same domain. Global groups can never contain members from other domains.
Although there are numerous possibilities for managing users and groups, as indicated
in Table 4-1, there is an important best practice for managing users, group member-
ship, and resource access in an Active Directory domain. It is described here along
with examples that relate to a forest belonging to Contoso, a global travel company
with two domains: adventure− works.com and blueyonderairlines.com.
Best Practices: An Example
Within the Contoso company users are members of global groups. (A global
group represents a role for a collection of users, which might include their job
function, location, or organizational position.) Members of the accounting depart-
ment in Adventure Works belong to the AdventureworksAccountants global
group. Similarly, accountants who work for Blue Yonder Airlines belong to the
Accountants global group in the BlueYonderAirlines domain.
In Windows 2000 native and Windows Server 2003 domain functional levels, glo-
bal groups may occasionally be members of universal groups. (A universal group
represents a role that spans multiple domains in the forest.) A universal group
Lesson 1 Understanding Group Types and Scopes 4-7
called ContosoAccountants is created. The AdventureWorksAccountants and
BlueYonderAirlinesAccountants groups are its two members. This group repre-
sents all accountants across both businesses in Contoso.
Global and universal groups are members of domain local groups. (A domain
local group represents the access required to perform a particular task.) In the
Adventure Works domain, a share is created that contains the Adventure Works
budget. Similarly, a share in the Blue Yonder Airlines domain contains the airline’s
budget. It is determined that the accountants in each business will be able to
modify the budget for their business and read the budget for the other business.
The following domain local security groups are created and assigned permissions
on the shares:
■ AdventureWorksBudget_Modify. This group is granted Modify permission to
the Adventure Works budget. Its membership consists of the AdventureWorks
Accountants group.
■ AdventureWorksBudget_Read. This group is granted Read permission to the
Adventure Works budget. Its membership consists of the ContosoAccountants
universal group. If the domain is not in Windows 2000 native or Windows
Server 2003 domain functional level, that group would not exist, so the mem-
bership of the Budget_Read group would be both the AdventureWorks
Accountants and BlueYonderAirlinesAccountants global groups.
■ BlueYonderAirlinesBudget_Modify. This group is granted Modify permission
to the airline’s budget. Its membership consists of the BlueYonderAirlines
Accountants group.
■ BlueYonderAirlinesBudget_Read. This group is granted Read permission to
the airline’s budget. Its membership consists of the ContosoAccountants univer-
sal group. If the domain is not in Windows 2000 native or Windows Server 2003
domain functional level, that group would not exist; therefore, the membership
of the Budget_Read group would be both the AdventureWorksAccountants
and BlueYonderAirlinesAccountants global groups.
Although this best practice implies a large number of groups for an organization,
it enables simplified auditing by minimizing the number of entries on an ACL and
enables flexible management of resource access. For example, if an external
auditing firm is hired to audit the budgets, the user accounts for those auditors
could be placed in a group, Auditors, and that group could be added to the
Budget_Read groups in each domain. Of course, in the real world the
Budget_Read group may be granted read permission to many budget-related
resources. By modifying a group’s membership, instead of modifying the individ-
ual ACLs of all budget-related resources, managing access to all budget-related
resources becomes significantly easier.
4-8 Chapter 4 Group Accounts
Group Conversion
You determine the scope of a group at the time of its creation. However, in a Windows
2000 native or Windows Server 2003 domain functional level domain, you can convert
domain local and global groups to universal groups, and you can convert universal
groups to global and domain local groups in the domain in which you created the uni-
versal group. You can change group scope simply by selecting the new scope in the
Group Scope pane of the group’s Properties dialog box.
Alternatively, the Dsmod command, discussed in Chapter 3 and in Lesson 3 of this
chapter, can modify group scope. For example, the following command changes the
scope of the Finance group to universal:
dsmod group “CN=Finance,OU=Groups,DC=contoso,DC=com” -scope u
Scopes of u (universal), g (global), and l (domain local) are permitted. A change of
scope is not permitted if:
■ The domain is not at Windows 2000 native or Windows Server 2003 domain func-
tional level.
■ The group’s current memberships would violate group rules if its scope were
changed. For example, if a global group, Finance, is a member of another global
group, you can’t convert the Finance group to universal scope because universal
groups cannot belong to global groups.
Tip Although a global group cannot be directly converted to a domain local group, you can
achieve such scope by converting the global group to a universal group and then converting
the universal group to a domain local group.
In a Windows 2000 native or Windows Server 2003 domain functional level domain, it
is also possible to convert a group’s type from distribution to security and from security
to distribution. Make the change in the Group Type pane of the group’s properties dia-
log box, shown in Figure 4-1, or use Dsmod group with the –secgroup no parameter.
Lesson 1 Understanding Group Types and Scopes 4-9
f04nw01
Figure 4-1 Properties page of the Sales security group
Note Be aware of the security implications of changing a security group, which may be
allowed or denied access to a resource, into a distribution group, which is no longer evalu-
ated when a user accesses that resource. It is possible that after the conversion, members
of the group might lose access to resources that the security group had allowed or might gain
access to resources that had previously been denied.
Special Identities
There are also some special groups called special identities that are managed by the
operating system. Special identities cannot be created or deleted; nor can their mem-
bership be modified by administrators. Special identities do not appear in the Active
Directory Users And Computers snap-in or in any other computer management tool,
but can be assigned permissions in an ACL. Table 4-2 details some of the special iden-
tities in Windows Server 2003.
Table 4-2 Special Identities and Their Representation
Identity Representation
Everyone Represents all current network users, including guests and users from other
domains. Whenever a user logs on to the network, that user is automatically
added to the Everyone group.
4-10 Chapter 4 Group Accounts
Table 4-2 Special Identities and Their Representation
Identity Representation
Network Represents users currently accessing a given resource over the network (as
opposed to users who access a resource by logging on locally at the computer
where the resource is located). Whenever a user accesses a given resource over
the network, the user is automatically added to the Network group.
Interactive Represents all users currently logged on to a particular computer and accessing
a given resource located on that computer (as opposed to users who access the
resource over the network). Whenever a user accesses a given resource on the
computer to which they are logged on, the user is automatically added to the
Interactive group.
Anonymous The Anonymous Logon group refers to any user who is using network
Logon resources but did not go through the authentication process.
Authenticated The Authenticated Users group includes all users who are authenticated into
Users the network by using a valid user account. When assigning permissions, you
can use the Authenticated Users group in place of the Everyone group to pre-
vent anonymous access to resources.
Creator The Creator Owner group refers to the user who created or took ownership of
Owner the resource. For example, if a user created a resource, but the Administrator
took ownership of it, then the Creator Owner would be the Administrator.
Dialup The Dialup group includes anyone who is connected to the network through a
dialup connection.
Caution These groups can be assigned permissions to network resources, although cau-
tion should be used when assigning some of these groups permissions. Members of these
groups are not necessarily users who have been authenticated to the domain. For instance, if
you assign full permissions to a share for the Everyone group, users connecting from any
trusted domains will have access to the share.
Practice: Changing the Group Type and Scope
In this practice, you get hands-on experience creating groups and modifying their scope.
Exercise 1: Creating and Modifying a Group
In this exercise, you will change the type of group and its scope.
1. In Active Directory Users And Computers, create a global distribution group in the
Users container called Agents.
2. Right-click the Agents group, and then choose Properties.
Lesson 1 Understanding Group Types and Scopes 4-11
Can you change the scope and type of the group? If not, why not?
If you cannot change the type and scope of the group, the domain in which you
are operating is still in mixed or Windows Server 2003 interim domain functional
level. You must raise the domain functional level to either Windows 2000 native or
Windows Server 2003 to change group type or scope.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What type of domain group is most like the local group on a member server? How
are they alike?
2. If you are using universal groups in your domain or forest, and you need to give
permission-based access to the members of the universal group, what configura-
tion must be true of the universal group?
3. In a domain running in Windows Server 2003 domain functional level, what secu-
rity principals can be a member of a global group?
Lesson Summary
■ There are two types of groups: security and distribution. Security groups can be
assigned permissions whereas distribution groups are used for query containers,
such as e-mail distribution groups, and cannot be assigned permissions to a
resource.
■ Security permissions for a group are assigned in an ACL just as any other security
principal such as a user or computer.
■ In Windows 2000 native or Windows Server 2003 domain functional level, groups of
both security and distribution type can be constructed as domain local, global, or uni-
versal, each with a different scope as to which security principals they can contain.
4-12 Chapter 4 Group Accounts
Lesson 2: Managing Group Accounts
The Active Directory Users And Computers MMC is the primary tool you will use to
administer security principals—users, groups, and computers—in the domain. In the
creation of groups, you will configure the scope, type, and membership for each. You
will also use the Active Directory Users And Computers MMC to modify membership of
existing groups.
After this lesson, you will be able to
■ Create a group
■ Modify the membership of a group
■ Find the domain groups to which a user belongs
Estimated lesson time: 10 minutes
Creating a Security Group
The tool that you will use most often for creating groups is the Active Directory Users
And Computers MMC, which you can find in the Administrative Tools folder. From
within the Active Directory Users And Computers MMC, right-click the details pane of
the container within which you want to create the group, and choose New, Group.
You then must select the type and scope of group that you want to create.
The type of group that you will create most often is a security group because this is the
type of group you use to assign permissions in an ACL. In a mixed or interim domain
functional level domain, you can create a security group of only domain local or global
scope. As Figure 4-2 illustrates, you cannot create a security group that has universal
scope in domains that are at mixed or interim domain functional level.
f04nw02
Figure 4-2 Security groups in mixed or interim functional level domains
Lesson 2 Managing Group Accounts 4-13
You can, however, create domain local, global, and universal groups as a distribution
type in a mixed or interim domain functional level domain. At the Windows 2000
native or Windows Server 2003 domain functional level, you can create both security
and distribution groups with any scope.
Modifying Group Membership
Adding or deleting members from a group is also accomplished through Active Direc-
tory Users And Computers. Right-click any group, and choose Properties. Figure 4-1
illustrates the Properties dialog box of a global security group called Sales.
Table 4-3 explains the member configuration tabs of the Properties dialog box.
Table 4-3 Membership Configuration
Tab Function
Members Adding, removing, or listing the security principals that belong to this group
Member Of Adding, removing, or listing the groups to which this group belongs
Practice: Modifying Group Membership
In this practice, you will work with group memberships and nesting to identify which
combinations of group memberships are possible.
Exercise 1: Nesting Group Memberships
1. If the domain functional level is not already set to Windows Server 2003, use the
Active Directory Users And Computers MMC to raise the domain functional level
to Windows Server 2003.
2. Create three global groups in the Users OU: Group 1, Group 2, and Group 3.
3. Create three user accounts: User 1, User 2, and User 3.
4. Make User 1, User 2, and User 3 members of Group 1.
5. Make Group 1 a member of Group 2.
Which groups can now be converted to universal groups? Test your theory. (You
should be able to convert 2 of the 3 groups without error.)
4-14 Chapter 4 Group Accounts
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. In the properties of a group, which tab will you access to add users to the group?
2. You want to nest the IT Administrators group responsible for the Sales group
inside the Sales group so that its members will have access to the same resources
(set by permissions in an ACL) as the Sales group. From the Properties page of the
IT Administrators group, what tab will you access to make this setting?
3. If your environment consists of two domains, one Windows Server 2003 and one
Windows NT 4, what group scopes can you use for assigning permissions on any
resource on any domain-member computer?
Lesson Summary
■ Modifying group memberships is accomplished through Active Directory Users
And Computers.
■ If you access the properties of a security principal that is to be a member of a
group, you set the group membership in the Members Of tab of the Security prin-
cipal’s properties. If you access the container (group) that is to hold members, set
the members of the container on the Members tab.
■ Groups can be nested when the domain in which they reside is set to either the
Windows 2000 native or Windows Server 2003 domain functional level. If the
domain is in mixed or interim domain functional level, which means that you are
still supporting Windows NT 4 domain controllers, no group nesting is possible.
■ Changing the type or scope of a group is only possible when the domain func-
tional level is Windows 2000 native or Windows Server 2003.
Lesson 3 Using Automation to Manage Group Accounts 4-15
Lesson 3: Using Automation to Manage Group Accounts
Although the Active Directory Users And Computers MMC is a convenient way to cre-
ate and modify groups individually, it is not the most efficient method for creating large
numbers of security principals. A tool included with Windows Server 2003, Ldifde.exe,
facilitates the importing and exporting of larger numbers of security principals, includ-
ing groups.
After this lesson, you will be able to
■ Import security principals with Ldifde
■ Export security principals with Ldifde
■ Use the Dsadd and Dsmod commands to create and modify groups
Estimated lesson time: 30 minutes
Real World Account Creation
Often you will have a collection of data that already has a great deal of the infor-
mation with which you will populate your Windows Server 2003 Active Directory.
The data might currently be in an existing directory such as Windows NT 4.0,
Windows 2000 Active Directory, Novell Directory Services (NDS), or some other
type of database. (Human Resources departments are famous for compiling data,
for example.)
If you have this user data available, you can use it to populate Active Directory.
Many tools are available to facilitate the transfer of data between directory ser-
vices, such as Ldifde.exe. In addition, most database programs have the built-in
capacity to export their data into a comma-separated value (CSV) file, which
Csvde.exe can import.
Using Csvde
Csvde, discussed in detail in Chapter 3, “User Accounts,” supports the creation of
objects from comma-separated text files. The following example shows a .csv file that
will create a group, Marketing, and populate the group with two initial members:
Dan Holme and Scott Bishop. The objects listed in the member attribute must already
exist in the directory service. The distinguished names (DNs) of member objects are
separated by semicolons.
objectClass,sAMAccountName,DN,member
group,Marketing,"CN=Marketing,OU=Employees,DC=contoso,DC=com",
“CN=Dan Holme,OU=Employees,DC=contoso,DC=com;CN=Scott Bishop,
OU=Employees,DC=contoso,DC=com”
4-16 Chapter 4 Group Accounts
You could import this file into Active Directory using the command:
csvde -i -f filename.csv
Using Ldifde
The Ldifde command allows you to import and export accounts using Lightweight
Directory Access Protocol (LDAP) file formats. It is explained in the Windows Help
And Support Center (search for “Ldifde”). Figure 4-3 lists the primary commands used
with Ldifde displayed by typing ldifde /? at the command prompt.
f04nw03
Figure 4-3 Ldifde command-line help file
The two most important switches for the Ldifde command are:
■ -i Turn on Import mode. (The default is Export.)
■ -f FileName: the Input or Output FileName
For example, the following command will import objects from the file named
Groups.ldf:
ldifde.exe –i –f groups.ldf
Table 4-4 details the primary Ldifde commands.
Lesson 3 Using Automation to Manage Group Accounts 4-17
Table 4-4 Ldifde Commands (Primary)
Command Usage
General parameters
-i Turn on Import mode (The default is Export)
-f filename Input or Output filename
-s servername The server to bind to
-c FromDN ToDN Replace occurrences of FromDN to ToDN
-v Turn on Verbose mode
-j path Log File Location
-t port Port Number (default = 389)
-? Help
Export specific parameters
-d RootDN The root of the LDAP search (Default to Naming Context)
-r Filter LDAP search filter (Default to “(objectClass=*)”)
-p SearchScope Search Scope (Base/OneLevel/Subtree)
-l list List of attributes (comma-separated) to look for in an LDAP search
-o list List of attributes (comma-separated) to omit from input
-g Disable paged search
-m Enable the Security Accounts Manager (SAM) logic on export
-n Do not export binary values
Import specific parameters
-k The import will ignore “Constraint Violation” and “Object Already Exists”
errors
Credentials parameters
-a UserDN Sets the command to run using the supplied user distinguished name and
password; for example: “cn=administrator,dc=contoso,dc-com password”
-b UserName Sets the command to run as username domain password; the default is to
Domain run using the credentials of the currently logged-on user
Note The Ldifde utility is included in Windows Server 2003, and you can copy it to a com-
puter running Windows 2000 Professional or Windows XP. It can then be bound and used
remotely to the Windows Server 2003 Active Directory.
The format of the file used by Ldifde is not quite as intuitive as the CSV file format.
Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) is a draft
Internet standard for a file format used to perform batch operations against directories
that conform to LDAP standards. You can use LDIF to both import and export data,
4-18 Chapter 4 Group Accounts
allowing batch operations such as add, create, delete, and modify to be performed
against Active Directory. The Ldifde command-line utility included in Windows Server
2003 supports batch operations based on the LDIF file format standard. Therefore, the
LDIF file format is to Ldifde what the CSV file format is to Csvde.
The LDIF file format consists of attribute names followed by a colon and the value of
the attribute. As an example, suppose that you wanted to use Ldifde to create two glo-
bal groups named Marketing and Finance in the Users container of the contoso.com
domain. The contents of the LDIF file would look similar to the following example:
DN: CN=Marketing,CN=Users,DC=Contoso,DC=Com
changeType: add
CN: Marketing
description: Marketing Users
objectClass: group
sAMAccountName: Marketing
DN: CN=Finance,CN=Users,DC=Contoso,DC=Com
changeType: add
CN: Finance
description: Finance Users
objectClass: group
sAMAccountName: Finance
Although doing so is not strictly required, you would usually save this text file with a
.ldf extension—for example, Groups.ldf. The changeType entry is not an attribute
name. Instead, its value specifies the type of operation that needs to occur. The three
valid changeType values are add, modify, and delete. As the names suggest, add will
import new content into the directory, modify will change the configuration of existing
content, and delete will remove the specified content.
To import the contents of the LDIF file shown above, the command would be:
ldifde.exe –i –f groups.ldf
After this command is issued, two new global groups named Marketing and Finance
would be added to the Users container of the contoso.com domain. To add two mem-
bers to a group using Ldifde, the LDIF file would be:
dn: CN=Finance,CN=Users,DC=Contoso,DC=Com
changetype: modify
add: member
member: CN=Dan Holme,OU=employees,dc=contoso,dc=com
member: CN=Scott Bishop,OU=employees,dc=contoso,dc=com
-
The changetype is set to modify and then the change operation is specified: add
objects to the member attribute. Each new member is then listed on a separate line that
begins with the attribute name, member. The change operation is terminated with a
Lesson 3 Using Automation to Manage Group Accounts 4-19
line containing a single dash. Changing the third line to the following would remove
the two specified members from the group:
delete: member
! Exam Tip Both Csvde and Ldifde provide import and export capabilities, allowing large
numbers of security principals (including users or groups) to be created at once with the least
possible administrative effort. However, the Ldifde command and its file structure are
nowhere near as intuitive for administrators as the comma-delimited file supported by Csvde.
For the 70-290 certification examination, you should understand that both commands are
able to import and export objects using their respective file formats. Only Ldifde is capable of
modifying existing objects or removing objects.
Creating Groups with Dsadd
The Dsadd command, introduced in Chapter 3, is used to add objects to Active Direc-
tory. To add a group, use the syntax
dsadd group GroupDN…
The GroupDN… parameter is one or more distinguished names for the new user
objects. If a DN includes a space, surround the entire DN with quotation marks. The
GroupDN… parameter can be entered one of the following ways:
■ By piping a list of DNs from another command such as dsquery.
■ By typing each DN on the command line, separated by spaces.
■ By leaving the DN parameter empty, at which point you can type the DNs, one at
a time, at the keyboard console of the command prompt. Press ENTER after each
DN. Press CTRL+Z and ENTER after the last DN.
The Dsadd Group command can take the following optional parameters after the DN
parameter:
■ -secgrp {yes | no} determines whether the group is a security group (yes) or a dis-
tribution group (no). The default value is yes.
■ -scope {l | g | u} determines whether the group is a domain local (l), global (g, the
default), or universal (u).
■ -samid SAMName
■ desc Description
■ -memberof GroupDN... specifies groups to which to add the new group
■ -members MemberDN... specifies members to add to the group
4-20 Chapter 4 Group Accounts
As discussed in Chapter 3, you can add -s, -u, and -p parameters to specify the domain
controller against which Dsadd will run, and the user name and password—the cre-
dentials—that will be used to execute the command.
■ {-s Server | -d Domain}
■ -u UserName
■ -p {Password | *}
For example, to create a new global security group named Marketing in the Employees
OU of the Contoso.com domain, the command would be:
dsadd group “CN=Marketing,OU=Employees,DC=Contoso,DC=Com”
–samid Marketing –secgrp yes –scope g
Retrieving Group Attributes with Dsget
The Dsget command, introduced in Chapter 3, returns specified attributes from one or
more objects. The Dsget command has a particularly useful role with groups: it can
return the list of members of a group. For example, the following command returns a
list of DNs of each member of the Sales group:
dsget group “CN=Sales,OU=Employees,DC=Contoso,DC=Com” –members
! Exam Tip Dsquery returns a list of objects in Active Directory based on properties speci-
fied as search criteria. It is the most common way to produce a list of DNs to pipe to another
directory service command. Dsget, however, is the only directory service command that pro-
duces a list of DNs of members of a group.
Finding the Domain Groups to Which a User Belongs
Active Directory allows for flexible and creative group nesting, where
■ Global groups can nest into other global groups, universal groups, or domain local
groups.
■ Universal groups can be members of other universal groups or domain local
groups.
■ Domain local groups can belong to other domain local groups.
This flexibility brings with it the potential for complexity, and without the right tools,
it would be difficult to know exactly which groups a user belongs to, whether directly
or indirectly. Fortunately, the Dsget command solves the problem. From a command
prompt, type:
dsget user UserDN -memberof [- expand]
Lesson 3 Using Automation to Manage Group Accounts 4-21
The -memberof switch returns the value of the MemberOf attribute, showing the
groups to which the user directly belongs. By adding the -expand switch, those groups
are searched recursively, producing an exhaustive list of all groups to which the user
belongs in the domain.
Modifying Groups with Dsmod
The Dsmod command, introduced in Chapter 3, is used to modify objects in Active
Directory. To modify a group, use the syntax
dsmod group GroupDN…
The command takes many of the same switches as Dsadd Group, including - samid, -desc,
-secgrp, and -scope. Typically, though, you won’t be changing those attributes of an exist-
ing group. Rather, the most useful switches are those that let you modify the membership
of a group, specifically
■ -addmbr MemberDN Adds members to the group specified in Group
■ -rmmbr MemberDN Removes members from the group specified in Group
As with all directory service commands, the MemberDN is the full, distinguished name
of another Active Directory object, surrounded by quotation marks if there are any
spaces in the DN.
Note On any one command line, you can use only -addmbr or -rmmbr. You cannot use both
in a single Dsmod Group command.
For example, if your goal were to add a user named David Jones in the Employees OU
of contoso.com to the Marketing global security group, the proper Dsmod Group com-
mand would be:
dsmod group “CN=Marketing,OU=Employees,DC=Contoso,DC=Com”
-addmbr “CN=David Jones,OU=Employees,DC=Contoso,DC=Com”
You can use Dsget in combination with Dsmod to copy group membership. In the fol-
lowing example, the Dsget command is used to get information about all the members
of the Sales group and then, by piping that list to Dsmod, to add those users to the Mar-
keting group:
dsget group “CN=Sales,OU=Employees,DC=Contoso,DC=Com” –members |
dsmod group “CN=Marketing,OU=Employees,DC=Contoso,DC=Com” -addmbr
4-22 Chapter 4 Group Accounts
Moving and Renaming Groups with Dsmove
The Dsmove command, introduced in Chapter 3, allows you to move or rename an
object within a domain. You cannot use it to move objects between domains. Its basic
syntax is:
dsmove ObjectDN [-newname NewName] [-newparent ParentDN]
The object is specified using its distinguished name in the parameter ObjectDN. To
rename the object, specify its new common name in the NewName parameter. To move
an object to a new location, specify the distinguished name of a container through the
ParentDN parameter.
For example, to change the name of the Marketing group to Public Relations, type:
dsmove “CN=Marketing,OU=Employees,DC=Contoso,DC=Com” –newname
“Public Relations”
To then move that group to the Marketing OU, type:
dsmove “CN=Public Relations,OU=Employees,DC=Contoso,DC=Com”
–newparent “OU=Marketing,DC=Contoso,DC=Com”
Note You can also move or rename a group in the Active Directory Users And Computers
MMC or snap-in by selecting the group and choosing Move or Rename from the Action menu
or the shortcut menu.
Deleting Groups with Dsrm
Dsrm, introduced in Chapter 3, can be used to delete a group. The basic syntax is:
dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt] [-c]
The object is specified by its distinguished name in the ObjectDN parameter. You will
be prompted to confirm the deletion of each object unless you specify the -noprompt
parameter. The -c switch puts Dsrm into continuous operation mode, in which errors
are reported but the command keeps processing additional objects. Without the -c
switch, processing halts on the first error.
To delete the Public Relations group, type:
dsrm “CN=Public Relations,OU=Marketing,DC=Contoso,DC=Com”
Lesson 3 Using Automation to Manage Group Accounts 4-23
Using VBScript to Automate Group Administration
The 70-290 certification examination objectives expect you to have a rudimentary under-
standing of using scripts written in the VBScript scripting language. You will need to be
able to recognize, but not necessarily create, simple VBScript operations. However, a
more detailed understanding of VBScript is a very useful competency for real-world
administration of Active Directory. Because the use of VBScript cuts across multiple top-
ics, including the administration of both users and groups, we have included a sup-
plement entitled “Using VBScript to Automate User and Group Administration” on the
CD-ROM accompanying this book.
On the CD Be sure to read the supplement “Using VBScript to Automate User and Group
Administration” on the CD-ROM accompanying this book.
Practice: Using Ldifde to Manage Group Accounts
In the following exercises, you list the options available for Ldifde, exporting users
from the Active Directory, and creating a group object in the directory.
Exercise 1: Starting Ldifde
In this exercise, you list the command options available with Ldifde.
1. Open a Command Prompt.
2. For a list of commands, at the command prompt, type ldifde /?.
Exercise 2: Exporting the Users from an Organizational Unit
In this exercise, you will export the entire contents of an OU named Marketing, com-
plete with all its users, from the contoso.com domain.
1. In the contoso.com domain (Server01 is a domain controller for contoso.com),
create an OU named Marketing.
2. In the Marketing OU, add two or three users. These users may be named whatever
you choose.
3. Open a command prompt and type the following Ldifde command (the character
: indicates continuation to the next line)
ldifde -f marketing.ldf -s server01 :
-d “ou=Marketing,dc=contoso,dc=com” :
-p subtree -r : “(objectCategory=CN=Person,CN=Schema,CN=Configuration,:
DC=contoso,DC=com)”
Figure 4-4 shows the code in action.
4-24 Chapter 4 Group Accounts
f04nw04
Figure 4-4 Output of LDIFDE export–Marketing OU
This creates an LDIF file named Marketing.ldf by connecting to the server named
Server01 and executing a subtree search of the Marketing OU for all objects of the cate-
gory Person.
Exercise 3: Using Ldifde to Create a Group
In this exercise, you will use Ldifde to add a group named Management to the Market-
ing OU of contoso.com.
1. Start a text editor, such as Notepad, and create a text file named Newgroup.ldf.
(Save the file as an LDIF file, not as a text file.)
2. Edit the LDIF file Newgroup.ldf, and add the following text:
dn: CN=Management,OU=Marketing,DC=contoso,DC=com
changetype: add
cn: Management
objectClass: group
samAccountName: Marketing
3. Save and close the LDIF file.
4. Open a Command Prompt, type the following command, and then press ENTER:
ldifde -i -f newgroup.ldf -s server01
Tip Watch for extra “white space” (tabs, spaces, carriage returns, line feeds) in the file.
Extra white space in the file will cause the command to fail.
5. To confirm that the new group has been created, check the Active Directory Users
And Computers snap-in.
Lesson 3 Using Automation to Manage Group Accounts 4-25
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. Which of the following Ldifde commands changes the function of Ldifde from
export to import?
a. -i
b. -t
c. -f
d. -s
2. What object classes are possible to export and import using Ldifde?
3. You have a database of users that is capable of exporting CSV files. Can you use
such a file, or must you create an *.ldf file manually for importing?
Lesson Summary
■ Ldifde is an included tool with Windows Server 2003 that allows for the importing
and exporting of data into and out of Active Directory.
■ If you have an existing directory of user data, you can use Ldifde to export the
desired data for importing into Active Directory, which is, generally, a more effi-
cient process than creating each element individually by hand. CSV files are usable
so long as the data is correctly formatted, with all required elements included and
in their proper order.
■ Ldifde can be copied from a Windows Server 2003 to a Windows 2000 or Windows
XP desktop for use with Active Directory.
Case Scenario Exercise
You are in the process of building your Active Directory and have some user data from the
Human Resources department that includes first and last name, address, and telephone
4-26 Chapter 4 Group Accounts
number. Company policy states that the user logon name should be the combination of
first name or initial and last name. (For example, Ben Smith would be bsmith.)
You have 500 users, 30 groups, and 10 OUs. In practical terms, what is the best way to
get your Active Directory set up as quickly and easily as possible?
Troubleshooting Lab
Creating individual objects (users, groups, and computers) in your Active Directory is
a straightforward process, but finding objects and their associations after many objects
have been created can present challenges. In a large, multiple-domain environment (or
in a complicated smaller one), solving resource access problems can be difficult. For
example, if Sarah can access some but not all of the resources that are intended for her,
she might not have membership in the groups that have been assigned permissions to
the resources.
If you have multiple domains with multiple OUs in each domain, and multiple, nested
groups in each of those OUs, it could take a great deal of time to examine the mem-
bership of these many groups to determine whether the user has the appropriate mem-
bership. Active Directory Users And Computers would not be the best tool choice.
You will use the Dsget command to get a comprehensive listing of all groups of which
a user is a member. For the purposes of this lab, the user Ben Smith in the contoso.com
domain, the Users OU, will be used.
1. Choose a user in your Active Directory to use as a test case for the steps that fol-
low. If you do not have a construction that is to your liking, create a number of
nested groups across several OUs, making the user a member of only some of the
groups.
2. Open a command prompt.
3. Type the following command (substituting your selected user name and OU for
Ben Smith):
dsget user “CN=Ben Smith,CN=Users,DC=contoso,DC=com"
-memberof -expand
The complete listing of all groups of which the user is a member is displayed.
Chapter Summary
■ Groups may be created within any OU within Active Directory.
■ There are two types of groups: security and distribution.
■ There are three scopes of groups: domain local, global, and universal.
Chapter 4 Group Accounts 4-27
■ Manual creation of groups is accomplished with the Active Directory Users And
Computers MMC.
■ Automated creation of groups is accomplished with the Ldifde command-line tool.
■ Directory Services Tools such as Dsquery, Dsget, and Dsmod can be used to list,
create, and modify groups and their membership.
■ Group types can be changed only when the domain functional level is at least
Windows 2000 native.
■ Advanced group nesting is possible only when the domain functional level is at
least Windows 2000 native.
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice and review the “Further Reading” sections in Part 2 for pointers to more informa-
tion about topics covered by the exam objectives.
Key Points
■ The types of groups and their available uses depending on the domain functional
level
■ The scope of groups and their various nesting constructions depending on the
domain functional level
■ The basic use of Active Directory Users And Computers in creating groups and
modifying their membership
■ The basic use of Ldifde for exporting groups from one directory to another and in
creating groups
■ The basic use of Dsget for listing complete group memberships for a user
Key Terms
domain local group (scope) In mixed or interim domain functional level, these
local groups are available only on domain controllers, not domainwide.
global group (scope) A group that is available domainwide in any domain func-
tional level.
universal group (scope) A group that can be available domainwide in any func-
tional level, but limited to distribution scope in Windows 2000 mixed and Windows
Server 2003 interim domain functional levels.
security group (type) Can have permissions assigned in an ACL.
distribution group (type) Cannot have permissions assigned in an ACL.
4-28 Chapter 4 Group Accounts
Questions and Answers
Page Lesson 1 Review
4-11
1. What type of domain group is most like the local group on a member server? How
are they alike?
Domain local groups are very similar to local groups on a member server in that they are, in a
mixed or Windows Server 2003 interim domain functional level domain, limited to the comput-
ers on which they reside—in the case of domain local groups, the domain controller. Until the
domain functional level is raised to Windows 2000 native or Windows Server 2003, the domain
local groups cannot be used for permission assignment on any servers in the domain other
than the domain controllers.
2. If you are using universal groups in your domain or forest, and you need to give
permission-based access to the members of the universal group, what configura-
tion must be true of the universal group?
For the universal group:
❑ The domain functional level must be Windows 2000 native or Windows Server 2003.
❑ The universal group must be of the type security (not distribution).
3. In a domain running in Windows Server 2003 domain functional level, what secu-
rity principals can be a member of a global group?
❑ Users
❑ Computers
❑ Global groups
Page Lesson 2 Review
4-14
1. In the properties of a group, which tab will you access to add users to the group?
The Members tab is used for adding members to the group.
2. You want to nest the IT Administrators group responsible for the Sales group
inside the Sales group so that its members will have access to the same resources
(set by permissions in an ACL) as the Sales group. From the Properties page of the
IT Administrators group, what tab will you access to make this setting?
The Members Of tab is used for adding the IT Administrators group to the Sales group.
3. If your environment consists of two domains, one Windows Server 2003 and one
Windows NT 4, what group scopes can you use for assigning permissions on any
resource on any domain-member computer?
In a Windows Server 2003 interim domain functional level domain, which is what you must be
running to support a Windows NT 4 domain, you will be able to use only global groups as secu-
rity principals. Domain local groups will be useful only on the domain controllers in the Windows
Questions and Answers 4-29
Server 2003 domain, and universal groups cannot be used as security groups in a Windows
Server 2003 interim domain functional level domain.
Page Lesson 3 Review
4-25
1. Which of the following Ldifde commands changes the function of Ldifde from
export to import?
a. -i
b. -t
c. -f
d. -s
The correct answer is a. The -i command changes the default function of Ldifde from exporting
to importing.
2. What object classes are possible to export and import using Ldifde?
Any object in Active Directory can be exported or imported using Ldifde, including users,
groups, computers, or OUs. In addition, any property of these objects can be modified using
Ldifde.
3. You have a database of users that is capable of exporting CSV files. Can you use
such a file, or must you create an *.ldf file manually for importing?
You can use a CSV file for importing user data into Active Directory. Windows Server 2003 will
fill in missing values with default values where possible, but if a mandatory item is missing
from the file, then errors will occur during importing and the object will not be created.
Page Case Scenario Exercise
4-25
You have 500 users, 30 groups, and 10 OUs. In practical terms, what is the best way to
get your Active Directory set up as quickly and easily as possible?
Although there is no absolutely correct answer, there are different levels of complexity to con-
sider. A blending of methods is probably best, given the following considerations:
■ The user data can be edited as needed, but those edits are minimal, and the users can be
brought into Active Directory using Ldifde.
■ The OU construction can be part of the user construction, all from the same file, with min-
imal editing. For the OUs, use Ldifde as well.
■ The groups might be another matter. Because group membership is a multivalued attribute
in Active Directory, group membership must be listed, uniquely, for each group as it is cre-
ated. It would be very confusing to do that within a single file, and errors would be likely. A
better approach is to do the group memberships individually.
5 Computer Accounts
Exam Objectives in this Chapter:
■ Create and manage computer accounts in an Active Directory environment
■ Troubleshoot computer accounts
❑ Diagnose and resolve issues related to computer accounts by using the Active
Directory Users and Computers MMC snap-in
❑ Reset a computer account
Why This Chapter Matters
As an administrator, you are aware that, over time, hardware is added to your
organization, computers are taken offline for repair, machines are exchanged
between users or roles, and old equipment is retired or upgraded, leading to the
acquisition of replacement systems. Each of these activities involves updating the
computer accounts in Active Directory.
Just as a user is authenticated by the user object’s user name and password, a
computer maintains an account with a name and password that is used to create
a secure relationship between the computer and the domain. A user can forget his
or her password, requiring you to reset the password, or can take a leave of
absence, requiring the disabling of the user object. Likewise, a computer’s
account can require reset or disabling for other reasons.
In this chapter, you will learn how to create computer objects, which include the
security properties required for the object to be an “account,” and manage those
objects using Active Directory Users And Computers graphical user interface
(GUI) as well as the powerful command-line tools of Microsoft Windows Server
2003. You will also review your understanding of the process through which a
computer joins a domain so that you can identify potential points of failure and
more effectively troubleshoot computer accounts. Finally, you will master the key
skills required to troubleshoot and repair computer accounts.
Lessons in this Chapter:
■ Lesson 1: Joining a Computer to a Domain. . . . . . . . . . . . . . . . . . . . . . . . . . .5-3
■ Lesson 2: Managing Computer Accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . .5-13
■ Lesson 3: Troubleshooting Computer Accounts. . . . . . . . . . . . . . . . . . . . . . .5-19
5-1
5-2 Chapter 5 Computer Accounts
Before You Begin
This chapter presents the skills and concepts related to computer accounts in Active
Directory. If you desire hands-on practice, using the examples and lab exercises in the
chapter, you should have the following prepared:
■ A machine running Windows Server 2003 (Standard Edition or Enterprise Edi-
tion) installed as Server01 and configured as a domain controller in the domain
contoso.com.
■ First-level organizational units (OUs): “Administrative Groups,” “Desktops,” and
“Servers.”
■ A global security group, in the Administrative Groups OU, called “Deployment.”
■ The Active Directory Users And Computers console or a customized console with
the Active Directory Users And Computers snap-in.
■ One exercise, joining a computer to a domain, is possible only if you have a sec-
ond computer running Microsoft Windows 2000 Professional, Windows XP, or
Windows Server 2003, with connectivity to Server01. Domain Name System (DNS)
services must be configured properly, on Server01 or elsewhere, and the second
computer must be configured to use that DNS server so that it can locate the
domain controller (Server01) for contoso.com.
Lesson 1 Joining a Computer to a Domain 5-3
Lesson 1: Joining a Computer to a Domain
The default configuration of Windows Server 2003, and all Windows operating sys-
tems, is that the computer belongs to a workgroup. In a workgroup, a Windows NT–
based computer (which includes Windows NT 4, Windows 2000, Windows XP, and
Windows Server 2003) can authenticate users only from its local Security Accounts
Manager (SAM) database. It is a stand-alone system, for all intents and purposes. Its
workgroup membership plays only a minor role, specifically in the browser service.
Although a user at a workgroup computer is not actually logged on to that computer
with a domain account, the user can nonetheless connect to shares on other machines
in a workgroup or in a domain—the other machines will simply prompt for a username
and password.
Before you can log on to a computer with your domain user account, that computer
must belong to a domain. The two steps necessary to join a computer to a domain are,
first, to create an account for the computer and, second, to configure the computer to
join the domain using that account. This lesson will focus on the skills related to the
creation of computer accounts and joining computers to domains. The next lesson will
explore, in more depth, the computer accounts themselves.
Just as users do, computers maintain identities, also called “accounts,” that include a
name, password, and security identifier (SID). Those properties are incorporated into
the computer object class within Active Directory. Preparing for a computer to be part
of your domain is therefore a process strikingly similar to preparing for a user to be
part of your domain: you must create a computer object in Active Directory.
After this lesson, you will be able to
■ Create computer accounts using Active Directory Users And Computers
■ Create computer accounts using the Dsadd command-line tool
■ Create computer accounts using the Netdom command-line tool
■ Join a computer to a domain by changing the network identification properties
■ Understand the importance of creating computer accounts prior to joining a domain
Estimated lesson time: 20 minutes
Creating Computer Accounts
You must be a member of the Administrators or Account Operators groups on the
domain controllers to create a computer object in Active Directory. Domain Admins
and Enterprise Admins are, by default, members of the Administrators group. Alterna-
tively, it is possible to delegate administration so that other users or groups can create
computer objects.
5-4 Chapter 5 Computer Accounts
However, domain users can also create computer objects through an interesting, indi-
rect process. When a computer is joined to the domain and an account does not exist,
Active Directory creates a computer object automatically, by default, in the Computers
OU. Each user in the Authenticated Users group (which is, in effect, all users) is
allowed to join 10 computers to the domain, and can therefore create as many as 10
computer objects in this manner.
Creating Computer Objects Using Active Directory Users and Computers
To create a computer object, or “account,” open Active Directory Users And Computers
and select the container or OU in which you want to create the object. From the Action
menu or the right-click shortcut menu, choose the New Computer command. The New
Object–Computer dialog box appears, as illustrated in Figure 5-1.
f05nw01
Figure 5-1 The New Object–Computer dialog box
In the New Object–Computer dialog box, type the computer name. Other properties in
this dialog box will be discussed in the following lesson. Click Next. The following
page of the dialog box requests a globally unique identifier (GUID). A GUID is used to
pre-stage a computer account for Remote Installation Services (RIS) deployment, which
is beyond the scope of this discussion. It is not necessary to enter a GUID when creat-
ing a computer account for a machine you will be joining to the domain using other
methods. So just click Next and then click Finish.
Creating Computer Objects Using Dsadd
Chances are the process described above is something you’ve done before. But before
you decide there’s nothing new under the sun, Windows Server 2003 provides a useful
command-line tool, Dsadd, which allows you to create computer objects from the com-
mand prompt or a batch file.
Lesson 1 Joining a Computer to a Domain 5-5
In Chapter 3, “User Accounts,” you used Dsadd to create user objects. To create computer
objects, simply type dsadd computer ComputerDN where ComputerDN is the distin-
guished name (DN) of the computer, such as CN=Desktop123,OU=Desktops,DC=con-
toso,DC=com.
If the computer’s DN includes a space, surround the entire DN with quotation marks.
The ComputerDN parameter can include more than one distinguished name for new
computer objects, making Dsadd Computer a handy way to generate multiple objects
at once. The parameter can be entered in one of the following ways:
■ By piping a list of DNs from another command, such as Dsquery.
■ By typing each DN on the command line, separated by spaces.
■ By leaving the DN parameter empty, at which point you can type the DNs, one at
a time, at the keyboard console of the command prompt. Press ENTER after each
DN. Press CTRL+Z and ENTER after the last DN.
The Dsadd Computer command can take the following optional parameters after the
DN parameter:
■ -samid SAMName
■ -desc Description
■ -loc Location
Creating a Computer Account with Netdom
The Netdom command is available as a component of the Support Tools, installable
from the SupportTools directory of the Windows Server 2003 CD. The command is
also available on the Windows XP and Windows 2000 CDs. Use the version that is
appropriate for the platform. Netdom allows you to perform numerous domain
account and security tasks from the command line.
To create a computer account in a domain, type the following command:
netdom add ComputerName / domain:DomainName /userd:User / PasswordD:UserPassword
[/ou:OUDN]
This command creates the computer account for ComputerName in the domain
DomainName using the domain credentials User and UserPassword. The /ou parameter
causes the object to be created in the OU specified by the OUDN distinguished name
following the parameter. If no OUDN is supplied, the computer account is created in
the Computers OU by default. The user credentials must, of course, have permissions
to create computer objects.
5-6 Chapter 5 Computer Accounts
Joining a Computer to a Domain
A computer account alone is not enough to create the secure relationship required
between a domain and a machine. The machine must join the domain.
To join a computer to the domain, perform the following steps:
1. Open the computer’s Computer Name properties. You can access these properties
in several ways:
❑ Right-click My Computer and choose Properties. Click the Computer Name tab.
❑ Open Control Panel, select System, and in the System Properties dialog box,
click the Computer Name tab.
Note The Computer Name tab is called Network Identification on Windows 2000 systems.
The Change button is called Properties. The functionality is, however, identical.
❑ Open the Network Connections folder from Control Panel and choose the
Network Identification command from the Advanced menu.
2. On the Computer Name tab, click Change the Computer Name Changes dialog
box, shown in Figure 5-2. This dialog box allows you to change the name and the
domain and workgroup membership of the computer.
! Exam Tip You cannot change a computer’s name or membership if you are not logged on
with administrative credentials on that system. Only users who belong to the local Administra-
tors group will find the Change button enabled and functional.
f05nw02
Figure 5-2 The Computer Name Changes dialog box
Lesson 1 Joining a Computer to a Domain 5-7
3. In the Computer Name Changes dialog box, click Domain and type the name of
the domain.
Tip Although the NetBIOS (flat) domain name might succeed in locating the target domain,
it is best practice to enter the DNS name of the target domain. DNS configuration is critical to
a computer running Windows 2000, Windows XP or Windows Server 2003. By using the DNS
,
domain name, you leverage the preferred name resolution process and test the computer’s
DNS configuration. If the computer is unable to locate the domain you’re attempting to join,
ensure that the DNS server entries configured for the network connection are correct.
4. Click OK.
The computer contacts the domain controller. If there is a problem connecting to the
domain, examine network connectivity and configuration, as well as DNS configura-
tion. When the computer successfully contacts the domain, you will be prompted, as in
Figure 5-3, for a user name and password with privileges to join the domain. Note that
the credentials requested are your domain user name and password.
f05nw03
Figure 5-3 Prompt for credentials to join domain
If you have not created a domain computer account with a name that matches the com-
puter’s name, Active Directory creates an account automatically in the default Comput-
ers container. Once a domain computer account has been created or located, the
computer establishes a trust relationship with the domain, alters its SID to match that
of the account, and makes modifications to its group memberships. The computer must
then be restarted to complete the process.
Note The Netdom Join command can also be used to join a workstation or server to a
domain. Its functionality is identical to the Computer Name Changes user interface except
that it also allows you to specify the OU in which to create an account if a computer object
does not already exist in Active Directory.
5-8 Chapter 5 Computer Accounts
The Computers Container vs. OUs
The Computers container is the default location for computer objects in Active Direc-
tory. After a domain is upgraded from Windows NT 4 to Active Directory, all computer
accounts are found, initially, in this container. Moreover, when a machine joins the
domain and there is no existing account in the domain for that computer, a computer
object is created automatically in the Computers container.
Tip The Microsoft Windows Server 2003 Resource Kit includes the Redircmp tool, which
allows you to redirect the creation of automatic computer objects to an OU of your choice. The
domain must be in Windows Server 2003 domain functional level. (See Chapter 4, Lesson 1.)
Such a tool is useful to organizations in which computer account creation is less tightly con-
trolled. Because automatically created computer objects are created in an OU, they can be
managed by policies linked to that OU. See the Windows Server 2003 Resource Kit for more
information on Redircmp.
Although the Computers container is the default container for computer objects, it is not
the ideal container for computer objects. Unlike OUs, containers such as Computers,
Users, and Builtin cannot be linked to policies, limiting the possible scope of computer-
focused Group Policy.
A best-practice Active Directory design will include at least one OU for computers.
Often there are multiple OUs for computers, based on administrative division or
region, or for the separate administration of laptops, desktops, and servers. As an
example, there is a default OU for Domain Controllers in Active Directory, which is
linked to the Default Domain Controller Policy. By creating one or more OUs for com-
puters, an organization can delegate administration and manage computer configura-
tion, through Group Policy, more flexibly.
If your organization has one or more OUs for computers, you must move any com-
puter objects created automatically in the Computers container into the appropriate
OU. To move a computer object, select the computer and choose Move from the
Action menu. Alternatively, use the new drag-and-drop feature of the MMC to move
the object.
You can also move a computer object, or any other object, with the Dsmove command.
The syntax of Dsmove is:
dsmove ObjectDN [-newname NewName] [-newparent ParentDN]
The -newname parameter allows you to rename an object. The -newparent parameter
allows you to move an object. To move a computer named DesktopABC from the
Computers container to the Desktops OU, you would type the following:
Lesson 1 Joining a Computer to a Domain 5-9
dsmove “CN=DesktopABC,CN=Computers,DC=Contoso,DC=com” -newparent
"OU=Desktops,DC=Contoso,DC=com”
In this command, you again see the distinction between the Computers container (CN)
and the Desktops organizational unit (OU).
You must have appropriate permissions to move an object in Active Directory. Default
permissions allow Account Operators to move computer objects between containers,
including the Computers container and any OUs except into or out of the Domain Con-
trollers OU. Administrators, which include Domain Admins and Enterprise Admins, can
move computer objects between any containers, including the Computers container,
the Domain Controllers OU, and any other OUs.
Tip The best practice is to pre-stage computer accounts—that is, create a computer
account in the correct OU (using the skills discussed in previous sections) prior to joining the
computer to the domain. By doing so, you ensure that the administration of the computer
account is delegated correctly and that the computer is within the scope of the Group Policy
Objects (GPOs) your organization has created to configure computers.
Practice: Joining a Computer to an Active Directory Domain
In this practice, you will create computer accounts using Active Directory Users and
Computers and Dsadd. You then can join a computer to the domain if you have access
to a second system.
Exercise 1: Creating Computer Accounts with Active Directory Users
and Computers
1. Open Active Directory Users And Computers.
2. In the Servers OU, create a computer object for a computer named “SERVER02.”
Configure only the computer name. Do not change any of the other default
properties.
Like a user, a computer has two names—the computer name and the “Pre–Windows
2000” computer name. It is a best practice to keep the names the same.
Exercise 2: Creating Computer Accounts with Dsadd
1. Open the command prompt.
2. Type the following command:
dsadd computer “cn=desktop03,ou=servers,dc=contoso,dc=com”
5-10 Chapter 5 Computer Accounts
Exercise 3: Moving a Computer Object
1. Open Active Directory Users And Computers.
2. Using the Move command, move the Desktop03 computer object from the Servers
OU to the Desktops OU.
3. Drag Server02 from the Servers container to the Computers container.
4. Select the Computers container to confirm that Server02 arrived in the right place.
Drag-and-drop is, of course, subject to user error.
Off the Record The MMC is notorious for causing mild panic attacks. It does not refresh
automatically. You must use the Refresh command or shortcut key (F5) to refresh the console
after making a change such as moving an object.
5. Open the properties of the Computers container. You will see that it does not have
a Group Policy tab, unlike an OU such as Servers. This is among the reasons why
organizations create one or more additional OUs for computer objects.
6. Open a command prompt.
7. Type the command:
dsmove “CN=Server02,CN=Computers,DC=contoso,DC=com” -newparent
"OU=Servers,DC=contoso,DC=com”
This command, as you can deduce, will move the computer object back to the
Servers OU.
8. Confirm that the computer is again in the Servers OU.
Exercise 4 (Optional): Join a Computer to a Domain
This exercise requires an additional system with network connectivity to Server01. In
addition, DNS must be configured correctly so that Server01’s service records (SRV) are
created. The additional computer must have DNS configured so that it can locate
Server01 as a domain controller for contoso.com.
1. If you have an additional system that you are able to join to the domain in the next
exercise, create an account for it in the Desktops OU using either Active Directory
Users And Computers or Dsadd. Be certain that the name you use is the same
name as the computer.
2. Log on to the computer. You must log on as an account with membership in the
computer’s local Administrators group to change its domain membership.
Lesson 1 Joining a Computer to a Domain 5-11
3. Locate the Computer Name tab by opening System from Control Panel or the Net-
work Identification command from the Advanced menu of the Network Connec-
tions folder.
4. Click Change.
5. Click Domain and type the DNS domain name, contoso.com.
6. Click OK.
7. When prompted, enter the credentials for the contoso.com domain’s Administrator
account.
8. Click OK.
9. The computer will prompt you that a reboot is necessary. Click OK to each mes-
sage and to close each dialog box. Reboot the system.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What are the minimum credentials necessary to create a Windows Server 2003
computer account in an OU in a domain? Consider all steps of the process.
Assume Active Directory does not yet have an account for the computer.
a. Domain Admins
b. Enterprise Admins
c. Administrators on a domain controller
d. Account Operators on a domain controller
e. Server Operators on a domain controller
f. Account Operators on the server
g. Server Operators on the server
h. Administrators on the server
2. Which locations allow you to change the domain membership of a computer run-
ning Windows Server 2003?
a. The properties of My Computer
b. Control Panel’s System application
c. Active Directory Users and Computers
d. The Network Connections folder
e. The Users application in Control Panel
5-12 Chapter 5 Computer Accounts
3. What command-line tools will create a domain computer account in Active
Directory?
a. Netdom
b. Dsadd
c. Dsget
d. Netsh
e. Nslookup
Lesson Summary
■ Members of the Administrators and Account Operators groups have, by default,
permission to create computer objects in Active Directory.
■ Active Directory Users And Computers, Dsadd, and Netdom can be used to create
computer accounts.
■ You must be logged on as a member of the local Administrators group to change
the domain membership of a machine.
Lesson 2 Managing Computer Accounts 5-13
Lesson 2: Managing Computer Accounts
In the previous lesson, you examined the fundamental components of a computer’s
relationship with a domain: the computer’s account and joining the computer to the
domain. This lesson looks more closely at the computer object in Active Directory. You
will learn about the other properties and permissions that make computer objects
“tick” and how to manage those properties and permissions using GUI and command-
line tools.
After this lesson, you will be able to
■ Configure the permissions of a new Active Directory computer object
■ Configure the properties of an Active Directory computer object
■ Find and manage computer accounts using Active Directory Users And Computers
Estimated lesson time: 10 minutes
Managing Computer Object Permissions
In Lesson 1, you learned that you could join a computer to a domain by providing
domain administrator credentials when prompted by the computer during the join pro-
cess. Security concerns, however, require us to use the minimum necessary credentials
to achieve a particular task, and it does seem like overkill to need a Domain Admins’
account to add a desktop to the domain.
Fortunately, Active Directory allows you to control, with great specificity, the groups or
users that can join a computer to a domain computer account. Although the default is
Domain Admins, you can allow any group (for example, a group called “Deployment
Team”) to join a machine to an account. This is most easily achieved while creating the
computer object.
When you create a computer object, the first page of the New Object–Computer dialog
box (previously shown in Figure 5-1) indicates The Following User Or Group Can Join
This Computer To A Domain. Click Change and you can select any user or group. This
change modifies a number of permissions on the computer object in Active Directory.
The following page of the New Object–Computer dialog box prompts you for the
globally unique identifier (GUID) of the computer, which is necessary to prestage an
account for a computer that will be installed using Remote Installation Services
(RIS). For more information on RIS, see the Microsoft online Knowledge Base, http:
//support.microsoft.com/.
If the computer that is using the account that you are creating is running a version of
Windows earlier than 2000, select the Assign This Computer Account As A Pre–Windows
2000 Computer check box. If the account is for a Windows NT backup domain con-
troller, click Assign This Computer Account As A Backup Domain Controller.
5-14 Chapter 5 Computer Accounts
Tip Remember, only computers based on Windows NT technologies can belong to a
domain, so Windows 95, Windows 98, and Windows Millennium Edition (Windows Me) cannot
join or maintain computer accounts. Therefore, this check box really means Windows NT 4.
Managing the Computer Object
You can manage computer objects using many of the same skills presented in Chapters 3
and 4. After selecting a computer object, you can, from the Action or shortcut menu:
■ Delete the computer.
■ Rename the computer.
■ Disable or enable the computer.
■ Move the computer to another OU.
■ Add the computer to a security group.
Tip The ability to manage computers in groups is an important enhancement to Active
Directory. A group to which computers belong can be used to control resource access permis-
sions such that any user logged on to computers in the group are granted or denied access.
Similarly, a group to which computers belong can be used to filter the application of a GPO.
■ Reset the computer account. (See Lesson 3 for more information.)
As with users and groups, it is possible to multiselect more than one computer object
and subsequently manage or modify all selected computers simultaneously.
Configuring Computer Properties
Computer objects have several properties that are not visible when creating a computer
account in the user interface. Open a computer object’s Properties dialog box to set its
location and description, configure its group memberships and dial-in permissions,
and link it to a user object of the computer’s manager. The Operating System properties
page is read-only. The information is published automatically to Active Directory and
will be blank until a computer has joined the domain using that account.
Several object classes in Active Directory support the Manager property that is shown
on the Managed By property page of a computer. This linked property creates a cross-
reference to a user object. All other properties—the addresses and telephone num-
bers—are displayed directly from the user object. They are not stored as part of the
computer object itself.
Lesson 2 Managing Computer Accounts 5-15
The Dsmod command, as discussed in Chapter 3 and Chapter 4, can also modify sev-
eral of the properties of a computer object. You will see the Dsmod command in action
in the following lesson regarding troubleshooting computer accounts.
Finding and Connecting to Objects in Active Directory
When a user calls you with a particular problem, you might want to know what oper-
ating system and service pack is installed on that user’s system. You learned that this
information is stored as properties of the computer object. The only challenge, then, is
to locate the computer object, which might be more difficult in a complex Active Direc-
tory with one or more domains and multiple OUs.
The Active Directory Users and Computers snap-in provides easy access to a powerful,
graphical search tool. This tool can be used to find a variety of object types. In this con-
text, however, your search entails an object of the type Computer. Click the Find
Objects In Active Directory button on the console toolbar. The resulting Find Comput-
ers dialog box is illustrated in Figure 5-4. You can select the type of object (Find), the
scope of the search (In), and specify search criteria before clicking Find Now.
f05nw04
Figure 5-4 The Find Computers dialog box as it appears after a successful search
The list of results allows you to select an object and, from the File menu or the shortcut
menu, perform common tasks on the selected object. Many administrators appreciate
learning that you can use the Manage command to open the Computer Management
console and connect directly to that computer, allowing you to examine its event logs,
device manager, system information, disk and service configuration, or local user or
group accounts.
5-16 Chapter 5 Computer Accounts
Practice: Managing Computer Accounts
In this practice, you will search for a computer object and modify its properties.
Exercise 1: Managing Computer Accounts
1. Open Active Directory Users And Computers.
2. Select the Security Groups OU and create a global security group called Deployment.
3. Select the Desktops OU.
4. Create a computer account for Desktop04. In the first page of the New Object–
Computer dialog box, click Change below The Following User Or Group Can Join
This Computer To A Domain. Type deployment in the Select User or Group dia-
log box, and then click OK.
5. Complete the creation of the Desktop04 computer object.
Exercise 2: Finding Objects in Active Directory
1. Open Active Directory Users And Computers.
2. On the toolbar, click the Find Objects in the Active Directory icon.
3. By default, the Find dialog box is ready to search for Users, Contacts, and Groups.
Choose Computers from the Find drop-down list, and select Entire Directory from
the In drop-down list.
4. In the Computer Name field, type server and click Find Now.
A result set appears that includes Server01.
Exercise 3: Changing Computer Properties
1. From the result set returned in Exercise 1, open Server01’s properties dialog box.
2. Click the Location tab.
3. Type Headquarters Server Room.
4. Click the Managed By tab, and then click Change.
5. Type Hank and then click OK.
6. Note that the user’s name and contact information appears.
7. Click the Operating System tab. Note the OS version and service pack level are
displayed.
8. (Optional) If you joined a second computer to the domain in Exercise 4 of Lesson 1,
open the properties of that computer object and note the Operating System prop-
erties of that computer.
Lesson 2 Managing Computer Accounts 5-17
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What platforms are capable of joining a domain?
a. Windows 95
b. Windows NT 4
c. Windows 98
d. Windows 2000
e. Windows Me
f. Windows XP
g. Windows Server 2003
2. You open a computer object and, on the Operating System tab, discover that no
properties are displayed. What causes these properties to be absent?
3. An executive has a laptop running Windows XP, with a machine name of “Top-
Dog.” You want to allow the executive’s laptop to join the domain, and you want
to be sure that the computer is configured by the group policies linked to the
Desktops OU immediately. How can you achieve this goal?
4. Why is it a best practice to create a computer account in the domain prior to join-
ing a machine to the domain?
5-18 Chapter 5 Computer Accounts
Lesson Summary
■ You can allow any user or group to join a computer to a domain account by using
the property The Following User Or Group Can Join This Computer To A Domain.
■ The Find Objects In Active Directory button on the Active Directory Users And
Computers snap-in toolbar allows you to search for, and then manage, computer
and other Active Directory objects.
Lesson 3 Troubleshooting Computer Accounts 5-19
Lesson 3: Troubleshooting Computer Accounts
Active Directory domains treat computers as security principals. This means that a com-
puter, just like a user, has an account—or, more specifically, properties within the com-
puter object such as a name, a password, and a SID. Like user accounts, computer
accounts require maintenance and, occasionally, troubleshooting. This lesson focuses
on skills and concepts related to troubleshooting computer objects.
After this lesson, you will be able to
■ Understand the important difference among deleting, disabling, and resetting computer
accounts
■ Recognize the symptoms of computer account problems
■ Troubleshoot computer accounts by deleting, disabling, resetting, or rejoining, using
both command-line and user-interface tools
Estimated lesson time: 20 minutes
Deleting and Disabling and Resetting Computer Accounts
Computer accounts, like user accounts, maintain a unique SID, which enables an
administrator to grant permissions to computers. Also like user accounts, computers
can belong to groups. Therefore, like user accounts, it is important to understand the
effect of deleting a computer account. When a computer account is deleted, its group
memberships and SID are lost. If the deletion is accidental, and another computer
account is created with the same name, it is nonetheless a new account with a new
SID. Group memberships must be reestablished, and any permissions assigned to the
deleted computer must be reassigned to the new account. Delete computer objects
only when you are certain that you no longer require those security-related attributes
of the object.
To delete a computer account using Active Directory Users And Computers, locate and
select the computer object and, from the Action menu or the shortcut menu, select the
Delete command. You will be prompted to confirm the deletion and, because deletion
is not reversible, the default response to the prompt is No. Select Yes and the object is
deleted.
The Dsrm command-line tool introduced in Chapter 3 allows you to delete a computer
object from the command prompt. To delete a computer with Dsrm, type:
DSRM ObjectDN
5-20 Chapter 5 Computer Accounts
Where ObjectDN is the distinguished name of the computer, such as “CN=Desktop15,
OU=Desktops,DC=contoso,DC=com.” Again, you will be prompted to confirm the
deletion.
Tip When a computer is disjoined from a domain—when an administrator changes the
membership of the computer to a workgroup or to another domain—the computer attempts
to delete its computer account in the domain. If it is not possible to do so because of lack of
connectivity, networking problems, or credentials and permissions, the account will remain in
Active Directory. It might appear, immediately or eventually, as disabled. If that account is no
longer necessary, it must be deleted manually.
If a computer is taken offline or is not to be used for an extended period of time, you
should consider disabling the account. Such an action reflects the security principle
that an identity store allow authentication only of the minimum number of accounts
required to achieve the goals of an organization. Disabling the account does not mod-
ify the computer’s SID or group membership, so when the computer is brought back
online, the account can be enabled.
The context menu, or Action menu, of a selected computer object exposes the Disable
Account command. A disabled account appears with a red “X” icon in the Active Direc-
tory Users And Computers snap-in, as shown in Figure 5-5.
f05nw05
Figure 5-5 A disabled computer account
While an account is disabled, the computer cannot create a secure channel with the
domain. The result is that users who have not previously logged on to the computer,
and who therefore do not have cached credentials on the computer, will be unable to
log on until the secure channel is reestablished by enabling the account.
To enable a computer account, simply select the computer and choose the Enable
Account command from the Action or shortcut menus.
Lesson 3 Troubleshooting Computer Accounts 5-21
To disable or enable a computer from the command prompt, use the Dsmod com-
mand. The Dsmod command modifies Active Directory objects. The syntax used to dis-
able or enable computers is:
DSMOD COMPUTER ComputerDN -DISABLED YES
DSMOD COMPUTER ComputerDN -DISABLED NO
If a computer account’s group memberships and SID, and the permissions assigned to
that SID, are important to the operations of a domain, you do not want to delete that
account. So what would you do if a computer were replaced with a new system with
upgraded hardware? Such is one scenario in which you would reset a computer
account.
Resetting a computer account resets its password but maintains all of the computer
object’s properties. With a reset password, the account becomes, in effect, “available”
for use. Any computer can then join the domain using that account, including the
upgraded system.
In fact, the computer that had previously joined the domain with that account can use
the reset account by simply rejoining the domain. This reality will be explored in more
detail in the troubleshooting lesson.
The Reset Account command is available in the Action and context menus when a
computer object is selected. The Dsmod command can also be used to reset a com-
puter account, with the following syntax:
dsmod computer ComputerDN -reset
The Netdom command, included with the Windows Server 2003 Support Tools in the
CD-ROM’s SupportTools directory, also enables you to reset a computer account.
Recognizing Computer Account Problems
Computer accounts and the secure relationships between computers and their domain
are robust. However, certain scenarios might arise in which a computer is no longer
able to authenticate with the domain. Examples of such scenarios include:
■ After reinstalling the operating system on a workstation, the workstation is unable
to authenticate even though the technician used the same computer name.
Because the new installation generated a new SID and the new computer does not
know the computer account password in the domain, it does not belong to the
domain and cannot authenticate to the domain.
■ A computer is completely restored from backup and is unable to authenticate. It is
likely that the computer changed its password with the domain after the backup
operation. Computers change their passwords every 30 days, and Active Directory
remembers the current and previous password. If the restore operation restored
5-22 Chapter 5 Computer Accounts
the computer with a significantly outdated password, the computer will not be
able to authenticate.
In the rare circumstance that an account or secure channel breaks down, the symptoms of
failure are generally obvious. The most common signs of computer account problems are:
■ Messages at logon indicate that a domain controller cannot be contacted, that the
computer account might be missing, that the password on the computer account
is incorrect, or that the trust (another way of saying “the secure relationship”)
between the computer and the domain has been lost. An example is shown in
Figure 5-6.
f05nw06
Figure 5-6 Logon message from a Windows XP client indicating a possible computer account
problem
■ Error messages or events in the event log indicating similar problems or suggest-
ing that passwords, trusts, secure channels, or relationships with the domain or a
domain controller have failed. One such error is NETLOGON Event ID 3210:
Failed To Authenticate, which appears in the computer’s event log.
■ A computer account is missing in Active Directory.
If one of these situations occurs, you must troubleshoot the account. You learned ear-
lier how to delete, disable, and reset a computer account and, at the beginning of the
chapter, how to join a machine to the domain.
The rules that govern troubleshooting a computer account are:
A. If the computer account exists in Active Directory, it must be reset.
B. If the computer account is missing in Active Directory, you must create a com-
puter account.
C. If the computer still belongs to the domain, it must be removed from the domain
by changing its membership to a workgroup. The name of the workgroup is irrel-
evant. Best practice is to choose a workgroup name that you know is not in use.
In scenarios involving computer failure or the deployment of a new system to a
user, you accomplish this step by installing or reinstalling the operating system
using the same computer name as the previous system.
D. Rejoin the computer to the domain. Alternatively, join another computer to the
domain; but the new computer must have the same name as the computer account.
Lesson 2 Managing Computer Accounts 5-23
To troubleshoot any computer account problem, apply all four rules. These rules can
be addressed in any order, except that Rule D, involving rejoining the computer to the
domain, must, as always, be performed as the final step. Let’s examine two scenarios.
In the first scenario, a user complains that when he or she attempts to log on, the sys-
tem presents error messages indicating that the computer account might be missing.
Applying Rule A, you open Active Directory Users And Computers and find that the
computer account exists. You reset the account. Rule B does not apply—the account
does exist. Then, using Rule C, you disjoin the system from the domain and, following
Rule D, rejoin the domain.
In a second scenario, if a computer account is reset by accident, the first item that has
occurred is Rule A. Although the reset is accidental, you must continue to recover by
applying the remaining three rules. Rule B does not apply because the account exists
in the domain. Rule C indicates that if the computer is still joined to the domain, it must
be removed from the domain. Then, by Rule D, it can rejoin the domain.
! Exam Tip With these four rules, you can make an informed decision, on the job or on the
certification exams, about how to address any scenario in which a computer account has lost
functionality.
One other easily solved scenario arises when the computer’s account has been dis-
abled. Simply right-click the computer object in Active Directory Users And Computers
and choose Enable.
Practice: Troubleshooting Computer Accounts
In this practice, you will troubleshoot a realistic scenario. A user in the contoso.com
domain contacts you and complains that, when logging on to Desktop03, he or she
receives the following error message:
“Windows cannot connect to the domain, either because the domain controller is
down or otherwise unavailable, or because your computer account was not found.
Please try again later. If this message continues to appear, contact your system admin-
istrator for assistance.”
The user waited, attempted to log on, received the same message, waited again, and
then received the same message a third time. The user has now spent 20 minutes trying
to log on. In obvious frustration, the user contacts you for assistance.
5-24 Chapter 5 Computer Accounts
Exercise 1: Troubleshooting Computer Accounts
1. Identify the most likely cause of the user’s problem:
a. The user entered an invalid user name.
b. The user entered an invalid password.
c. The user chose the incorrect domain from the Log On To list.
d. The computer has lost its secure channel with the domain.
e. The computer’s registry is corrupted.
f. The computer has a policy preventing the user from logging on interactively.
2. Identify the steps from the list below that you must take to troubleshoot the prob-
lem. Put the steps in order. You might not require all steps.
a. Enable the computer account.
b. Change Desktop03 to belong to contoso.com.
c. Determine whether the computer account exists in Active Directory.
d. Reset or re-create the computer account.
e. Change Desktop03 to a workgroup.
f. Delete the computer account.
g. Disable the computer account.
Exercise 2: Recover from Computer Account Problems
1. Open Active Directory Users And Computers.
2. Click Find Objects In Active Directory and search for Desktop03.
3. Desktop03 appears in the search results because you created it in Lesson 1.
4. Having identified that the account does exist, reset the account by right-clicking
Desktop03 and choosing Reset Account.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. After a period of expansion, your company created a second domain. Last week-
end, a number of machines that had been in your domain were moved to the new
domain. When you open Active Directory Users And Computers, the objects for
Lesson 2 Managing Computer Accounts 5-25
those machines are still in your domain, and are displayed with a red “X” icon.
What is the most appropriate course of action?
a. Enable the accounts
b. Disable the accounts
c. Reset the accounts
d. Delete the accounts
2. A user reports that during a logon attempt, a message indicated that the computer
cannot contact the domain because the domain controller is down or the com-
puter account might be missing. You open Active Directory Users And Computers
and discover that the account for that computer is missing. What steps should
you take?
3. A user reports that during a logon attempt, a message indicates that the computer
cannot contact the domain because the domain controller is down or the com-
puter account might be missing. You open Active Directory Users and Computers
and see that computer’s account appears normal. What steps should you take?
Lesson Summary
■ Computers maintain accounts that, like users, include a SID and group member-
ships. Be careful about deleting computer objects. Disabling computer objects
allows you to enable the objects again when the computer needs to participate in
the domain.
■ Problems with computer accounts are generally quite evident, with error messages
and events logged that indicate problems in an account, a password, a secure
channel, or a trust relationship.
■ Using the four rules in Lesson 3, you can troubleshoot just about any computer
account problem.
5-26 Chapter 5 Computer Accounts
Case Scenario Exercise
Contoso decides to open two branch offices: East and West. Computers are purchased
for 10 sales representatives in each office. The asset tags assigned to the computers are
shown in the following table.
East Branch West Branch
EB-2841 WB-3748
EB-2842 WB-3749
EB-2843 WB-3750
EB-2844 WB-3751
EB-2845 WB-3752
EB-2846 WB-3753
EB-2847 WB-3754
EB-2848 WB-3755
EB-2849 WB-3756
EB-2850 WB-3757
Your job is to prepare Active Directory for the deployment of these computers.
Exercise 1: Create OUs
Create two OUs in the contoso.com domain: EastBranch and WestBranch. Type the
names as shown. Do not put a space between the words.
Exercise 2: Script the Creation of Computer Accounts
1. Open Notepad.
2. Type a line for each computer, following this example:
DSADD COMPUTER “CN=EB-2841,OU=EastBranch,DC=Contoso,DC=COM”
-desc “Sales Rep
Computer” -loc “East Branch Office”
Be sure to modify the CN= parameter to match the asset tag of each computer, and
the OU= and -loc parameters to reflect the name and location description of the
branch office for each computer.
3. Save the file as “C:ScriptComputers.bat” and be sure to surround the name with
quotation marks, or Notepad will add a .txt extension automatically.
4. Open a command prompt and type c:scriptcomputers.
Chapter 5 Computer Accounts 5-27
5. Confirm the successful generation of the computer accounts by examining the
EastBranch and WestBranch OUs. The MMC does not refresh automatically, so
press F5 to refresh if you do not see the new computers initially.
Troubleshooting Lab
Following a weekend during which a consultant performed maintenance on the com-
puters in the East Branch Office, users complain of trouble logging on. You examine
the event log on one of the branch office computers and discover the following event:
There seems to be a problem with the computer account.
go5nw01
Which of the following steps must be performed to correct the problem?
1. Delete the computer accounts
2. Reset the user accounts
3. Join the computers to a workgroup
4. Disable the computer accounts
5. Reset the computer accounts
6. Enable the computer accounts
7. Create new computer accounts
8. Join the computers to the domain
5-28 Chapter 5 Computer Accounts
Exercise 1 (Optional): Simulation of the Problem
If you joined a second computer to the Contoso domain in Lesson 1, move the com-
puter object for that computer into the EastBranch OU. Then, in Active Directory Users
And Computers, reset the computer’s account.
1. When you restart the computer, try logging on to the domain. Are you successful?
Can you log on with Contoso domain accounts you have used in the past to log
on to the computer? Why? (Hint: cached logons)
2. Can you log on with new domain accounts, which have never logged on to the
computer? When you attempt to do so, you will receive a typical error message
indicating that the computer account might be missing.
3. Log on as the local Administrator and examine the event log. What error messages
appear?
Exercise 2: Reset All East Branch Computer Accounts
The fastest way to reset the computer accounts, particularly because all the accounts
are in the same OU, will be a command-line tool.
1. Open a command prompt.
2. Type the following command:
DSQUERY COMPUTER “OU=EastBranch,DC=contoso,DC=com”
This command queries Active Directory for a list of computers in the EastBranch
OU. The list should match the computer accounts created in the Case Scenario
exercise.
3. Type the following command:
DSQUERY COMPUTER “OU=EastBranch,DC=contoso,DC=com” | DSMOD COMPUTER -RESET
This time, we pipe the results of the DSQUERY command to the input of DSMOD.
The DSMOD COMPUTER -RESET command will reset each of those accounts. Mis-
sion accomplished.
Chapter 5 Computer Accounts 5-29
Exercise 3 (Optional): Rejoin the Domain
If you have a second system, just reset its computer account. You can now practice
removing the machine from the domain by changing its membership to a workgroup.
After restarting, join the domain again.
Chapter Summary
■ You must have permissions to create a computer object in Active Directory.
Administrators and Account Operators have sufficient permissions, and permis-
sions can be delegated to other users or groups.
■ When creating a computer object, you can specify what user or group can join the
computer to the domain using that account.
■ Active Directory Users And Computers allows you to create, modify, delete, dis-
able, enable, and reset computer objects.
■ From the command prompt, you can create a computer object with Dsadd Com-
puter and modify its properties using Dsmod Computer.
■ Dsmod Computer is also used to reset, disable, and enable a computer object.
Dsrm will remove a computer object. The support tool, Netdom, includes numer-
ous switches to achieve similar tasks.
■ A common troubleshooting recovery includes re-creating or resetting a computer
account, removing the computer from the domain, and rejoining the domain.
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice and review the “Further Reading” sections in Part 2 for pointers to more informa-
tion about topics covered by the exam objectives.
Key Points
■ Identify the minimum permissions required to create a computer object in Active
Directory and the permissions required to change a machine’s membership
between workgroups and domains.
■ Know the syntax of the Dsadd, Dsmod, and Dsrm commands. Remember that
Dsmod and Dsadd require one, or more, distinguished names as parameters. The
Dsquery command can be used to provide those names to Dsmod.
5-30 Chapter 5 Computer Accounts
■ Be very clear on the differences among disabling, resetting, and deleting a com-
puter account. What is the impact of each on the computer object, its SID and
group membership, and on the system itself?
■ Know the four rules for troubleshooting computer account problems. Apply all
four, every time, and you will be likely to nail every computer account trouble-
shooting question.
■ Be comfortable with finding objects in Active Directory and managing those
objects from the search results. This skill set applies to many objects in Active
Directory, and several objectives of the certification exam.
Key Terms
computer account An account created in Active Directory that uniquely identifies
the computer in the domain.
Questions and Answers 5-31
Questions and Answers
Page Lesson 1 Review
5-11
1. What are the minimum credentials necessary to create a Windows Server 2003
computer account in an OU in a domain? Consider all steps of the process.
Assume Active Directory does not yet have an account for the computer.
a. Domain Admins
b. Enterprise Admins
c. Administrators on a domain controller
d. Account Operators on a domain controller
e. Server Operators on a domain controller
f. Account Operators on the server
g. Server Operators on the server
h. Administrators on the server
The correct answers are d and h. Account Operators on a domain controller are assigned the
minimum permissions necessary to create a computer object in the domain. You must be a
member of the local Administrators group on the server to change its domain membership.
2. Which locations allow you to change the domain membership of a computer run-
ning Windows Server 2003?
a. The properties of My Computer
b. Control Panel’s System application
c. Active Directory Users and Computers
d. The Network Connections folder
e. The Users application in Control Panel
The correct answers are a, b, and d.
3. What command-line tools will create a domain computer account in Active
Directory?
a. Netdom
b. Dsadd
c. Dsget
d. Netsh
e. Nslookup
The correct answers are a and b.
5-32 Chapter 5 Computer Accounts
Page Lesson 2 Review
5-17
1. What platforms are capable of joining a domain?
a. Windows 95
b. Windows NT 4
c. Windows 98
d. Windows 2000
e. Windows Me
f. Windows XP
g. Windows Server 2003
The correct answers are b, d, f, and g.
2. You open a computer object and, on the Operating System tab, discover that no
properties are displayed. What causes these properties to be absent?
A computer has not joined the domain using that account. When a system joins the domain, by
default it populates the properties shown on the Operating System tab.
3. An executive has a laptop running Windows XP, with a machine name of “Top-
Dog.” You want to allow the executive’s laptop to join the domain, and you want
to be sure that the computer is configured by the group policies linked to the
Desktops OU immediately. How can you achieve this goal?
Create a computer object in the Desktops OU for the TopDog computer. While creating the
account, select the executive’s user account for the property The Following User Or Group Can
Join This Computer To A Domain.
4. Why is it a best practice to create a computer account in the domain prior to join-
ing a machine to the domain?
There are several reasons why it is a best practice to create a computer account in the domain
prior to joining a machine to the domain. The first reason relates to the fact that if an account
is not created in advance, one will be generated automatically when the computer joins the
domain, and that account will be located in the default Computers container. The result is that
computer policies, which are typically linked to specific OUs, will not apply to the newly joined
computer. And, because most organizations do have specific OUs for computers, you are left
with an extra step to remember: moving the computer object to the correct OU after joining the
domain. Finally, by creating a computer object in advance, you can specify which groups (or
users) are allowed to join a system to the domain with that account. In short, you have more
flexibility and control during deployment.
Page Lesson 3, Practice, Exercise 1
5-24
1. Identify the most likely cause of the user’s problem:
a. The user entered an invalid user name.
Questions and Answers 5-33
b. The user entered an invalid password.
c. The user chose the incorrect domain from the Log On To list.
d. The computer has lost its secure channel with the domain.
e. The computer’s registry is corrupted.
f. The computer has a policy preventing the user from logging on interactively.
The correct answer, as you can probably deduce, is d. The computer has lost its secure channel
with the domain.
2. Identify the steps from the list below that you must take to troubleshoot the prob-
lem. Put the steps in order. You might not require all steps.
a. Enable the computer account.
b. Change Desktop03 to belong to contoso.com.
c. Determine whether the computer account exists in Active Directory.
d. Reset or re-create the computer account.
e. Change Desktop03 to a workgroup.
f. Delete the computer account.
g. Disable the computer account.
The correct answer is steps e, c, d, and b. Step e does not have to occur first; it just has to be
done anytime before step b. Steps c and d must occur in that order, before step b, which must
be the last step.
Page Lesson 3 Review
5-24
1. After a period of expansion, your company created a second domain. Last week-
end, a number of machines that had been in your domain were moved to the new
domain. When you open Active Directory Users And Computers, the objects for
those machines are still in your domain, and are displayed with a red “X” icon.
What is the most appropriate course of action?
a. Enable the accounts
b. Disable the accounts
c. Reset the accounts
d. Delete the accounts
The correct answer is d. When the machines were removed from the domain, their accounts
were not deleted, probably due to permissions settings. The machines now belong to another
domain. These accounts are no longer necessary.
2. A user reports that during a logon attempt, a message indicated that the computer
cannot contact the domain because the domain controller is down or the computer
5-34 Chapter 5 Computer Accounts
account might be missing. You open Active Directory Users And Computers and dis-
cover that the account for that computer is missing. What steps should you take?
Create a computer account, disjoin the user’s computer from the domain, and then rejoin it to
the domain.
3. A user reports that during a logon attempt, a message indicates that the computer
cannot contact the domain because the domain controller is down or the com-
puter account might be missing. You open Active Directory Users and Computers
and that computer’s account appears normal. What steps should you take?
Reset the computer account, disjoin the computer from the domain, and then rejoin it to the
domain.
Page Troubleshooting Lab
5-27
Which of the following steps must be performed to correct the problem?
1. Delete the computer accounts
2. Reset the user accounts
3. Join the computers to a workgroup
4. Disable the computer accounts
5. Reset the computer accounts
6. Enable the computer accounts
7. Create new computer accounts
8. Join the computers to the domain
The correct answer is 5, 3, and 8. This is the most efficient solution; it involves resetting com-
puter accounts and rejoining machines to the domain.
6 Files and Folders
Exam Objectives in this Chapter:
■ Configure access to shared folders
❑ Manage shared folder permissions
■ Troubleshoot Terminal Services
❑ Diagnose and resolve issues related to Terminal Services security
■ Configure file system permissions
❑ Verify effective permissions when granting permissions
❑ Change ownership of files or folders
■ Troubleshoot access to files and shared folders
■ Manage a Web server
❑ Manage Internet Information Services (IIS)
❑ Manage security for IIS
Why This Chapter Matters
Among the more common daily challenges facing you as an administrator are
tasks related to the maintenance of network files and folders—resources that are
required by users in your organization. When a user cannot access a resource that
he or she needs to complete a business task, the telephone at the help desk rings.
As a result, you spend time and money modifying permissions or group member-
ships to correct the problem. When a sensitive resource is accessed by someone
who should not be able to do so, the telephone on your desk rings—and as a
result, you might have to spend time and money looking for a new job.
You have no doubt experienced the fundamental components of resource secu-
rity in Windows technologies—the assigning of access permissions to users or
groups. Microsoft Windows Server 2003 offers enhancements, nuances, tools, and
capabilities beyond the feature set of Microsoft Windows 2000 and Windows XP,
and strikingly different from Microsoft Windows NT 4. Each of these additions
will affect the best practices for managing and troubleshooting files and folders.
6-1
6-2 Chapter 6 Files and Folders
In this chapter, you will review the concepts and skills related to managing shared
folders and examine the useful Shared Folders snap-in. You will explore the
Access Control List Editor, or ACL editor, with its multiple dialog boxes, each of
which supports important functionality. After examining a variety of permission
configurations, you will evaluate effective permissions, the resulting set of permis-
sions for a user based on user and group permissions, and you will configure
auditing to monitor for specific file access and operations. Finally, you will turn to
IIS, which, like the File and Print Sharing service, offers another way to provide
network access to files and folders.
Lessons in this Chapter:
■ Lesson 1: Setting Up Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-3
■ Lesson 2: Configuring File System Permissions . . . . . . . . . . . . . . . . . . . . . . . 6-13
■ Lesson 3: Auditing File System Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-32
■ Lesson 4: Administering Internet Information Services . . . . . . . . . . . . . . . . . 6-39
Before You Begin
This chapter presents the skills and concepts related to computer accounts in the
Microsoft Active Directory directory service. If you want hands-on practice by using the
examples and lab exercises in the chapter, prepare the following:
■ A Windows Server 2003 (Standard or Enterprise Edition) installed as Server01 and
configured as a domain controller in the contoso.com domain.
■ First-level organizational units (OUs): Security Groups and Employees
■ The Domain Users group must be a member of Print Operators so that, during lab
exercises, “normal” users can log on to a domain controller.
■ Five global security groups in the Security Groups organizational unit (OU):
Project 101 Team, Project 102 Team, Engineers, Managers, and Project Contractors.
■ User accounts in the Employees OU for Scott Bishop, Dan Holme, Danielle Tiedt,
and Lorrin Smith-Bates, with Scott Bishop belonging to the Engineers, Project Con-
tractors, and Project 101 Team groups; Danielle Tiedt belonging to the Engineers
and Project 101 Team; Dan Holme belonging to the Engineers group; and Lorrin
Smith-Bates belonging to the Managers and Project 101 Team.
■ Access to the Shared Folders snap-in through the Computer Management console,
File Server Management console (available through Manage Your Server), or a cus-
tom Microsoft Management Console (MMC) console.
Lesson 1 Setting Up Shared Folders 6-3
Lesson 1: Setting Up Shared Folders
We would not have networks, or our jobs, if organizations did not find it valuable to
provide access to information and resources stored on one computer to users of
another computer. Creating a shared folder to provide such access is therefore among
the most fundamental tasks for any network administrator. Windows Server 2003
shared folders are managed with the Shared Folders snap-in.
After this lesson, you will be able to
■ Create a shared folder with Windows Explorer and the Shared Folders snap-in
■ Configure permissions and other properties of shared folders
■ Manage user sessions and open files
Estimated lesson time: 15 minutes
Sharing a Folder
Sharing a folder configures the File And Printer Sharing For Microsoft Networks service
(also known as the Server service) to allow network connections to that folder and its
subfolders by clients running the Client For Microsoft Networks (also known as the
Workstation service).
Note New in SP1! Windows Firewall, introduced by SP1 and disabled by default following
Post-Setup Security Updates, will block clients from accessing shared files and folders on a
server if enabled. Be sure to set an exception for File And Printer Sharing, which opens TCP
ports 139 and 445 and UDP ports 137 and 138. It is also common to create an exception for
Remote Administration (ports 135 and 445) and to allow incoming ping requests, an Internet
Control Message Protocol (ICMP) exception.
You certainly have shared a folder using Windows Explorer by right-clicking a folder,
choosing Sharing And Security, and selecting Share This Folder. However, the familiar
Sharing tab of a folder’s properties dialog box in Windows Explorer is available only
when you configure a share while logged on to a computer interactively or through
terminal services. You cannot share a folder on a remote system using Windows
Explorer. Therefore, you will examine the creation, properties, configuration, and man-
agement of a shared folder using the Shared Folders snap-in, which can be used on
both local and remote systems.
6-4 Chapter 6 Files and Folders
When you open the Shared Folders snap-in, either as a custom MMC snap-in or as part
of the Computer Management or File Server Management consoles, you will immedi-
ately notice that Windows Server 2003 has several default administrative shares already
configured. These shares provide connection to the system directory (typically,
C:Windows) as well as to the root of each fixed hard disk drive. Each of these shares
uses the dollar sign ($) in the share name. The dollar sign at the end of a share name
configures the share as a hidden share that will not appear on browse lists but that you
may connect to with a Universal Naming Convention (UNC) in the form servername
sharename$.
Tip A system’s Administrators, Server Operators, and Backup Operators groups can con-
nect to the administrative shares.
To share a folder on a computer, connect to the computer using the Shared Folders
snap-in by right-clicking the root Shared Folders node and choosing Connect To
Another Computer. Once the snap-in is focused on the computer, click the Shares node
and, from the shortcut or Action menu, choose New Share.
Tip You must be a member of the system’s Administrators group or Power Users group to
create a shared folder.
The important pages and settings exposed by the wizard are
■ The Folder Path page Type the path to the folder on the local hard drives so,
for example, if the folder is located on the server’s D drive, the folder path would
be D:foldername.
■ The Name, Description, and Settings page Type the share name. If your net-
work has any down-level clients (those using DOS-based systems), be sure to
adhere to the 8.3 naming convention to ensure their access to the shares. The
share name will, with the server name, create the UNC to the resource in the form
servernamesharename. Add a dollar sign ($) to the end of the share name to
make the share a hidden share. Unlike the built-in hidden administrative shares,
hidden shares that are created manually can be connected to by any user,
restricted only by the share permissions on the folder.
■ The Permissions page Select the appropriate share permissions.
Lesson 1 Setting Up Shared Folders 6-5
Managing a Shared Folder
The Shares node in the Shared Folders snap-in lists all shares on a computer and pro-
vides a context menu for each share that enables you to stop sharing the folder, open
the share in Windows Explorer, or configure the share’s properties. All the properties
that you are prompted to fill out by the Share A Folder Wizard can be modified in the
share’s Properties dialog box, illustrated in Figure 6-1.
f06nw01
Figure 6-1 The General tab of a shared folder
The Properties tabs in the dialog box are
■ General The first tab provides access to the share name, folder path, description,
the number of concurrent user connections, and offline files settings. The share
name and folder path are read-only. To rename a share, you must first stop sharing
the folder and then create a share with the new name and share permissions.
■ Publish If you select the Publish This Share In Active Directory check box (as
shown in Figure 6-2), an object is created in Active Directory to represent the
shared folder.
6-6 Chapter 6 Files and Folders
f06nw02
Figure 6-2 The Publish tab of a shared folder
The object’s properties include a description and keywords. Administrators can
then locate the shared folder based on its description or keywords, using the Find
Users, Contacts and Groups dialog box. By selecting Shared Folders from the Find
drop-down list, this dialog box becomes the Find Shared Folders dialog box
shown in Figure 6-3.
f06nw03
Figure 6-3 Searching for a shared folder
Lesson 1 Setting Up Shared Folders 6-7
■ Share Permissions The Share Permissions tab allows you to configure share
permissions.
■ Security The Security tab allows you to configure NTFS file system (NTFS) per-
missions for the folder.
Configuring Share Permissions
Available share permissions are listed in Table 6-1. Although share permissions are not
as detailed as NTFS permissions, they allow you to configure a shared folder for fun-
damental access scenarios: Read, Change, and Full Control.
Table 6-1 Share Permissions
Permissions Description
Read Users can display folder names, file names, file data, and attributes. Users can
also run program files and access other folders within the shared folder.
Change Users can create folders, add files to folders, change data in files, append
data to files, change file attributes, delete folders and files, and perform
actions permitted by the Read permission.
Full Control Users can change file permissions, take ownership of files, and perform all
tasks allowed by the Change permission.
Share permissions can be allowed or denied. The effective set of share permissions is
the cumulative result of the Allow permissions granted to a user and all groups to
which that user belongs. If, for example, you are a member of a group that has Read
permission and a member of another group that has Change permission, your effective
permissions are Change. However, a Deny permission will override an Allow permis-
sion. Therefore, if you are in one group that has been allowed Read access and in
another group that has been denied Full Control, you will be unable to read the files
or folders in that share.
Share permissions define the maximum effective permissions for all files and folders
beneath the shared folder. Permissions can be further restricted, but cannot be broad-
ened, by NTFS permissions on specific files and folders. Said another way, a user’s
access to a file or folder is the most restrictive set of effective permissions between
share permissions and NTFS permissions on that resource. If you want a group to have
full control of a folder and have granted full control through NTFS permissions, but the
share permission is the default (Everyone: Allow Read) or even if the share permission
allows Change, that group’s NTFS full control access will be limited by the share per-
mission. This dynamic means that share permissions add a layer of complexity to the
management of resource access and is one of several reasons that organizations cite for
their directives to configure shares with open share permissions (Everyone: Allow Full
6-8 Chapter 6 Files and Folders
Control), and to use only NTFS permissions to secure folders and files. See the “Three
Views of Share Permissions” sidebar for more information about the variety of perspec-
tives and drivers behind discussions of share permissions.
Three Views of Share Permissions
It is important to understand the perspectives from which share permissions are
addressed in real-world implementations by Microsoft and by certification objec-
tives and resources such as this book.
Share Permission Limitations
Share permissions have significant limitations, including the following:
■ Scope Share permissions apply only to network access through the Client
for Microsoft Networks; they do not apply to local or terminal service access
to files and folders, nor to other types of network access such as Hypertext
Transfer Protocol (HTTP), File Transfer Protocol (FTP), Telnet, and so on.
■ Replication Share permissions do not replicate through file replication
service (FRS).
■ Resiliency Share permissions are not included in a backup or restore of a
data volume.
■ Fragility Share permissions are lost if you move or rename the folder that
is shared.
■ Lack of detailed control Share permissions are not granular; they provide
a single permissions template that applies to every file and folder beneath
the shared folder. You cannot enlarge access to any folder or file beneath the
shared folder; and you cannot further restrict access without turning to NTFS
permissions.
■ Auditing You cannot configure auditing based on share permissions.
■ The grass is truly greener We have NTFS permissions, which are
designed to provide solid, secure access control to files and folders. NTFS
permissions do replicate, are included in a backup and restore of a data vol-
ume, can be audited, and provide extraordinary flexibility as well as ease of
management. So organizations rely on NTFS permissions for resource access
control.
■ Complexity If both share permissions and NTFS permissions are applied,
the most restrictive permission set will be effective, adding a layer of com-
plexity to analyzing effective permissions and troubleshooting file access.
Lesson 1 Setting Up Shared Folders 6-9
Real-World Use of Share Permissions
Because of these limitations, the use of share permissions does not occur except for
the extraordinarily rare case in which a drive volume is FAT or FAT32, which then
does not support NTFS permissions. Otherwise, the “real-world” rule is: Configure
shares with Everyone: Allow Full Control share permissions, and lock down the
shared folder, and any other files or folders beneath it, using NTFS permissions.
Microsoft’s Tightening of Share Permissions
Before Windows XP, the default share permission was Everyone: Allow Full Con-
trol. Using such a default, adhering to “real-world” policies was simple: adminis-
trators didn’t change the share permission but went straight to configuring NTFS
permissions. Windows Server 2003 sets Everyone: Allow Read as the default share
permission. This is problematic because, for all nonadministrators, the entire
shared folder tree is now restricted to read access.
Microsoft made this change with a noble goal: to increase security by restricting
the extent to which resources are vulnerable by default when they are shared.
Many administrators have shared a folder then forgotten to check NTFS permis-
sions only to discover, too late, that a permission was too “open.” By configuring
the share with read permission, Microsoft helps administrators avoid this prob-
lem. Unfortunately, most organizations avoid share permissions, due to their lim-
itations, and focus instead on providing security through NTFS permissions. Now
administrators must remember to configure share permissions (to Everyone:
Allow Full Control) to return to best practices laid out by their organizations.
Certification Objectives
There is a third perspective on share permissions: certification objectives.
Although share permissions are typically implemented in accordance with strict
enterprise policies (Everyone is allowed Full Control), the fact that share permis-
sions might one day deviate from that setting, and the possibility that data might
be stored on a FAT or FAT32 volume, for which share permissions are the only
viable option for access control, means that you must understand share permis-
sions to meet the objectives of the MCSA and MCSE exams. Of particular impor-
tance are scenarios in which both share permissions and NTFS permissions are
applied to a resource, in which case the most restrictive effective permission set
becomes the effective permissions set for the resource when it is accessed by a
Client For Microsoft Networks service.
So pay attention to share permissions. Learn their nuances. Know how to evalu-
ate effective permissions in combination with NTFS permissions. Then configure
your shares according to your organization’s guidelines, which will most likely
be, unlike the new default share permission in Windows Server 2003, to allow
Everyone Full Control.
6-10 Chapter 6 Files and Folders
! Exam Tip Very few administrators limit the number of user connections to a shared
folder, but it can be done. On the certification exam, be aware that limits to the number of
user connections might prevent a user from accessing a shared folder. The type of mes-
sage that a user receives indicates that the server cannot accept connections. Note that
Windows XP Professional and Windows 2000 Professional systems cannot accept more
than 10 concurrent user connections.
Managing User Sessions and Open Files
Occasionally, a server must be taken offline for maintenance, backups must be run, or
other tasks must be performed that require users to be disconnected and any open files
to be closed and unlocked. Each of these scenarios will use the Shared Folders snap-in.
The Sessions node of the Shared Folders snap-in allows you to monitor the number of
users connected to a particular server and, if necessary, to disconnect the user. The
Open Files node enumerates a list of all open files and file locks for a single server and
allows you to close one open file or disconnect all open files.
Practice: Setting Up Shared Folders
In this practice, you will configure a shared folder and modify the share permissions.
You will then connect to the share and simulate the common procedures used before
taking a server offline.
Exercise 1: Share a Folder
1. Create a folder on your C drive called Docs. Do not share the folder yet.
2. Open the Manage Your Server page from Administrative Tools.
3. In the File Server category, click Manage This File Server. If your server is not con-
figured with the File Server role, you can add the role or launch the File Server
Management console using the following Tip.
Tip The File Server Management console is a really nice console, so you might want to cre-
ate a shortcut to it for easier access. The path to the console is %SystemRoot%System32
Filesvr.msc.
4. Select the Shares node.
5. Click the Add A Shared Folder link from the task list in the details pane. There are
equivalent commands for adding a shared folder in the Action and the shortcut
menus as well.
Lesson 1 Setting Up Shared Folders 6-11
6. The Share A Folder Wizard appears. Click Next.
7. Type the path c:docs and then click Next.
8. Accept the default share name, docs, and then click Next.
9. On the Permissions page, select Use Custom Share And Folder Permissions and
then click Customize.
10. Select the check box to Allow Full Control and then click OK.
11. Click Finish, and then click Close.
Exercise 2: Connect to a Shared Folder
1. In the File Server Management console, select the Sessions node. If the node
shows any sessions, click the Disconnect All Sessions link from the task list, and
then click Yes to confirm.
2. Choose the Run command from the Start menu. Type the UNC to the shared folder
server01docs, and then click OK.
By using a UNC rather than a physical path, such as c:docs, you create a network
connection to the shared folder, just as a user would.
3. In the File Server Management console, click the Sessions node. Notice you are
now listed as maintaining a session with the server. You might need to refresh the
console by pressing F5 to see the change.
4. Select the Open Files node. Notice that you are listed as having c:docs open.
Exercise 3: Disconnect Sessions from a Server
1. Select the Sessions node in the File Server Management console.
2. Click the Disconnect All Sessions link in the task list.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. Which of the following tools allows you to administer a share on a remote server?
Select all that apply.
a. The Shared Folders snap-in
b. Windows Explorer running on the local machine, connected to the remote
server’s share or hidden drive share
6-12 Chapter 6 Files and Folders
c. Windows Explorer running on the remote machine in a Terminal Services or
Remote Desktop session
d. The File Server Management console
2. A folder is shared on a FAT32 volume. The Project Managers group is given Allow
Full Control share permission. The Project Engineers group is given Allow Read
share permission. Julie belongs to the Project Engineers group. She is promoted
and is added to the Project Managers group. What are her effective permissions to
the folder?
3. A folder is shared on an NTFS volume, with the default share permissions. The
Project Managers group is given Allow Full Control NTFS permission. Julie, who
belongs to the Project Managers group, calls to report problems creating files in
the folder. Why can’t Julie create files?
Lesson Summary
■ Windows Explorer can be used only to configure shares on a local volume. This
means you must be logged on locally (interactively) to the server or using Remote
Desktop (terminal services) to use Explorer to manage shares.
■ The Shared Folders snap-in allows you to manage shares on a local or remote
computer.
■ You can create a hidden share that does not appear on browse lists by adding a
dollar sign ($) to the end of the share name. Connections to the share use the UNC
format: servernamesharename$. Users may connect to the share as long as
they know its name and have been allowed access with both share and NTFS per-
missions. Only administrators can connect to the default hidden administrative
shares, including the hidden drive shares.
■ Share permissions define the maximum effective permissions for all files and fold-
ers accessed by the Client for Microsoft Networks connection to the shared folder.
■ Share permissions do not apply to local (interactive), terminal services, IIS, or
other types of access.
Lesson 2 Configuring File System Permissions 6-13
Lesson 2: Configuring File System Permissions
Windows servers support granular or detailed control of access to files and folders
through NTFS. Resource access permissions are stored as access control entries (ACEs)
on an ACL that is part of the security descriptor of each resource. When a user attempts
to access a resource, the user’s security access token, which contains the security iden-
tifiers (SIDs) of the user’s account and group accounts, is compared to the SIDs in the
ACEs of the ACL. This process of authorization has not changed fundamentally since
Windows NT was introduced. However, the details of the implementation of authori-
zation, the tools available to manage resource access, and the specificity with which
you can configure access have changed with each release of Windows.
This lesson will explore the nuances and new features of Windows Server 2003
resource access control. You will learn how to use the ACL editor to manage permis-
sions templates, inheritance, and special permissions and how to evaluate resulting
effective permissions for a user or group.
After this lesson, you will be able to
■ Configure permissions with the Windows Server 2003 ACL editor
■ Manage ACL inheritance
■ Evaluate resulting, or effective permissions
■ Verify effective permissions
■ Change ownership of files and folders
■ Transfer ownership of files and folders
Estimated lesson time: 30 minutes
Configuring Permissions
Windows Explorer is the most common tool used to initiate management of resource
access permissions, both on a local volume as well as on a remote server. Unlike
shared folders, Windows Explorer can configure permissions locally and remotely.
The Access Control List Editor
As in earlier versions of Windows, security can be configured for files and folders on
any NTFS volume by right-clicking the resource and choosing Properties (or Sharing
And Security) then clicking the Security tab. The interface that appears has many
aliases; it has been called the Permissions dialog box, the Security Settings dialog box,
the Security tab, or the Access Control List editor (ACL editor). Whatever you call it, it
looks the same. An example can be seen on the Security tab of the Docs Properties dia-
log box, as shown in Figure 6-4.
6-14 Chapter 6 Files and Folders
f06nw04
Figure 6-4 The ACL editor in the Docs Properties dialog box
Prior to Windows 2000, permissions were fairly simplistic, but with Windows 2000 and
later versions, Microsoft enabled significantly more flexible and powerful control over
resource access. With more power came more complexity, and now the ACL editor has
three dialog boxes, each of which supports different and important functionality.
The first dialog box provides a “big picture” view of the resource’s security settings or
permissions, allowing you to select each account that has access defined and to see the
permissions templates assigned to that user, group, or computer. Each template shown
in this dialog box represents a bundle of permissions that together allow a commonly
configured level of access. For example, to allow a user to read a file, several granular
permissions are needed. To mask that complexity, you can simply apply the
Allow:Read & Execute permissions template and, behind the scenes, Windows sets the
correct file or folder permissions.
To view more details about the ACL, click Advanced, which exposes the second of
the ACL editor’s dialog boxes, the Advanced Security Settings For Docs dialog box,
as shown in Figure 6-5. This dialog box lists the specific access control entries that
have been assigned to the file or folder. The listing is the closest approximation in
the user interface to the actual information stored in the ACL itself. The second dia-
log box also enables you to configure auditing, manage ownership, and evaluate
effective permissions.
Lesson 2 Configuring File System Permissions 6-15
f06nw05
Figure 6-5 The ACL editor’s Advanced Security Settings dialog box
If you select a permission in the Permission Entries list and click Edit, the ACL editor’s
third dialog box appears. This Permission Entry For Docs dialog box, shown in Figure
6-6, lists the detailed, most granular permissions that comprise the permissions entry in
the second dialog box’s Permissions Entries list and the first dialog box’s Permissions
For Users list.
f06nw06
Figure 6-6 The ACL editor’s Permission Entry dialog box
! Exam Tip The Shared Folders snap-in also allows you to access the ACL editor. Open the
properties of a shared folder and click the Security tab.
6-16 Chapter 6 Files and Folders
Adding and Removing Permission Entries
Any security principal may be granted or denied resource access permissions. In
Windows Server 2003, the valid security principals are: users, groups, computers, and
the special InetOrgPerson object class (described in RFC 2798), which is used to rep-
resent users in certain cross-directory platform situations. To add a permission, click
the Add button on either the first or second ACL editor dialog box. The Select User,
Computer Or Group dialog box will help you identify the appropriate security princi-
pal. Then select appropriate permissions. The interface has changed slightly from ear-
lier versions of Windows, but not enough to prevent an experienced administrator
from mastering the new user interface quickly. You can remove an explicit permission
that you have added to an ACL by selecting the permission and clicking Remove.
Modifying Permissions
A permission may be modified in the Security Settings dialog box by selecting or clear-
ing the Allow or Deny check boxes in the Security tab to apply permissions templates.
For a finer degree of control, click Advanced, select a permission entry, and click Edit.
Only explicit permissions may be edited. Inherited permissions are discussed later in
this lesson.
The Permission Entry For Docs dialog box, shown in Figure 6-6, will allow you to mod-
ify permissions and specify the scope of the permissions inheritance through the Apply
Onto drop-down list.
Caution Be certain that you understand the impact of changes you make in this dialog box.
You can be grateful for the detailed control Microsoft has enabled, but with increased granu-
larity comes increased complexity and increased potential for human error.
New Security Principals
Windows Server 2003, unlike Windows NT 4, allows you to add computers or groups
of computers to an ACL, thereby adding flexibility to control resource access based on
the client computer, regardless of the user who attempts access. For example, you
might want to provide a public computer in the employee lounge but prevent a
manager from exposing sensitive data during his or her lunch break. By adding the
computer to ACLs and denying access permission, the manager who can access sensi-
tive data from his or her desktop is prevented from accessing it from the lounge.
Windows Server 2003 also allows you to manage resource access based on the type of
logon. You can add the special accounts, Interactive, Network, and Terminal Server
User to an ACL. Interactive represents any user logged on locally to the console. Ter-
minal Server User includes any user connected through remote desktop or terminal
Lesson 2 Configuring File System Permissions 6-17
services. Network represents a connection from the network, for example a Windows
system running Client for Microsoft Networks.
Permissions Templates and Special Permissions
Permissions templates, visible in the Security tab in the Security Settings dialog box, are
bundles of special permissions, which are fully enumerated in the third dialog box,
Permissions Entry. Most of the templates and special permissions are self-explanatory,
whereas others are beyond the scope of this book. However, the following points are
worth noting:
■ Read & Execute This permissions template is sufficient to allow users to open
and read files and folders. Read & Execute will also allow a user to copy a
resource, assuming they have permission to write to a target folder or media.
There is no permission in Windows to prevent copying. Such functionality will be
possible with Digital Rights Management technologies as they are incorporated
into Windows platforms.
■ Write and Modify The Write permissions template applied to a folder allows
users to create a new file or folder (when applied to a folder) and, when applied
to a file, to modify the contents of a file as well as its attributes (hidden, system,
read-only) and extended attributes (defined by the application responsible for the
document). The Modify template adds the permission to delete the object.
■ Change Permissions After modifying ACLs for a while, you might wonder who
can modify permissions. The answer is, first, the owner of the resource. Owner-
ship will be discussed later in this lesson. Second, any user who has an effective
permission that allows Change Permission can modify the ACL on the resource.
The Change Permission must be managed using the ACL editor’s third dialog box,
Permission Entry. It is also included in the Full Control permission template.
Inheritance
Windows Server 2003 supports permissions inheritance, which simply means that per-
missions applied to a folder will, by default, apply to the files and folders beneath that
folder. Any change to the parent’s ACL will similarly affect all contents of that folder.
Inheritance enables you to create single points of administration, managing a single
ACL on a branch or resources under a folder.
Understanding Inheritance
Inheritance is the result of two characteristics of a resource’s security descriptor. First,
permissions are, by default, inheritable. As previously shown in Figure 6-5, the permis-
sion Allow Users to Read & Execute is specified to Apply to: This folder, subfolders,
and files. That alone, however, is not enough to make inheritance work. The other half
6-18 Chapter 6 Files and Folders
of the story is that new objects, when created, are set by default to “Allow Inheritable
Permissions From The Parent To Propagate To This Object...” the check box visible in
the same figure.
So a newly created file or folder will inherit the inheritable permissions from its parent,
and any changes to the parent will affect the child files and folders as well. It is helpful
to understand this two-step implementation of inheritance because it gives us two
ways to manage inheritance: from the parent and from the child.
Inherited permissions are displayed differently in each dialog box of the ACL editor.
The first and third dialog boxes (Security tab and Permissions Entry For Docs) show
inherited permissions as dimmed check marks to distinguish them from permissions
that are set directly on the resource, called explicit permissions, which are not dimmed.
The second dialog box (Advanced Security Settings) shows, for each permission entry,
from what folder the permission entry is inherited.
Overriding Inheritance
Inheritance allows you to configure permissions high in a folder tree. Such initial per-
missions, and any changes to those permissions, will propagate to all the files and fold-
ers in that tree that are, by default, configured to allow inheritance.
Occasionally, however, you might need to modify permissions on a subfolder or file to
provide additional access or restrict access to a user or group. You cannot remove
inherited permissions from an ACL. You can override an inherited permission by
assigning an explicit permission. Alternatively, you can block all inheritance and create
an entirely explicit ACL.
To override an inherited permission by assigning an explicit permission, simply check
the appropriate permissions box. For example, if a folder has an inherited Allow Read
permission assigned to the Sales Reps group, and you do not want Sales Reps to access
the folder, you can select the box to Deny Read.
Removing Inheritance
To override all inheritance, open the resources Advanced Security Settings dialog box
and clear Allow Inheritable Permissions From The Parent To Propagate To This
Object.... You will block all inheritance from the parent. You will then have to manage
access to the resource by assigning sufficient explicit permissions.
To help you create an explicit permissions ACL, Windows gives you a choice when
you choose to disallow inheritance. You are asked whether you want to Copy or
Remove permissions entries, as shown in Figure 6-7.
Lesson 2 Configuring File System Permissions 6-19
f06nw07
Figure 6-7 Copying or removing permissions entries
Copy will create explicit permissions identical to what was inherited. You can then
remove individual permissions entries that you do not want to affect the resource. If
you choose Remove, you will be presented with an empty ACL, to which you will add
permissions entries. The result is the same either way; an ACL populated with explicit
permissions. The question is whether it is easier to start with an empty ACL and build
it from scratch or start with a copy of the inherited permissions and modify the list to
the desired goal. If the new ACL is wildly different from the inherited permissions,
choose Remove. If the new ACL is only slightly different from the result of inherited
permissions, it is more efficient to choose Copy.
When you disallow inheritance by deselecting the Allow Inheritable Permissions
option, you block inheritance. All access to the resource is managed by explicit per-
missions assigned to that file or folder. Any changes to the ACL of its parent folder will
not affect the resource; although the parent permissions are inheritable, the child does
not inherit. Block inheritance sparingly because it increases the complexity of manag-
ing, evaluating, and troubleshooting resource access.
Reinstating Inheritance
Inheritance can be reinstated in two ways: from the child resource or from the parent
folder. The results differ slightly. You might reinstate inheritance on a resource if you
disallowed inheritance accidentally or if business requirements have changed. Simply
reselect the Allow Inheritable Permissions option in the Advanced Security Settings dia-
log box. Inheritable permissions from the parent will now apply to the resource. All
explicit permissions you assigned to the resource remain, however. The resulting ACL
is a combination of the explicit permissions, which you might choose to remove, and
the inherited permissions. Because of this dynamic, you might not see some inherited
permissions in the first or third ACL editor dialog boxes. For example, if a resource has
an explicit permission, Allows Sales Reps Read & Execute, and the parent folder has
the same permission, when you choose to allow inheritance on the child, the result will
be that the child has both an inherited and an explicit permission. You will see a check
mark in the first and third dialog boxes; the explicit permission obscures the inherited
permission in the interface. But the inherited permission is actually present, which can
be confirmed in the second dialog box, Advanced Security Settings.
6-20 Chapter 6 Files and Folders
The second method for reinstating inheritance is from the parent folder. In the
Advanced Security Settings dialog box of a folder, you may select the check box,
Replace Permission Entries On All Child Objects With Entries Shown Here That Apply
To Child Objects. The result: all ACLs on subfolders and files are removed. The permis-
sions on the parent are applied. You can think of this as “blasting down” the parent’s
permissions. After applying this option, any explicit permission that had been applied
to subfolders and files is removed, unlike the method used for reinstating inheritance
on the child resources. Inheritance is restored, so any changes to the parent-folder ACL
are propagated to its subfolders and files. At this point you are able to set new, explicit
permissions on subfolders or files. The Replace Permissions option does its job when
you apply it, but does not continuously enforce parent permissions.
Effective Permissions
It is common for users to belong to more than one group and for those groups to have
varying levels of resource access. When an ACL contains multiple entries, you must be
able to evaluate the permissions that apply to a user based on his or her group mem-
berships. The resulting permissions are called effective permissions.
! Exam Tip Effective permissions are a common exam objective on most of the Microsoft
Windows Server 2003 core exams, as well as on design and client exams. Pay close atten-
tion to this information and to any practice questions regarding effective permissions so you
can be certain you have mastered the topic.
Understanding Effective Permissions
The rules that determine effective permissions are as follows:
■ File permissions override folder permissions. This isn’t really a rule, but it
is often presented that way in documentation, so it is worth addressing. Each
resource maintains an ACL that is solely responsible for determining resource
access. Although entries on that ACL might appear because they are inherited from
a parent folder, they are nevertheless entries on that resource’s ACL. The security
subsystem does not consult the parent folder to determine access at all. So you
might interpret this rule as: The only ACL that matters is the ACL on the resource.
■ Allow permissions are cumulative. Your level of resource access might be
determined by permissions assigned to one or more groups to which you belong.
The Allow permissions that are assigned to any of the user, group, or computer
IDs in your security access token will apply to you, so your effective permissions
are fundamentally the sum of those Allow permissions. If the Sales Reps group is
allowed Read & Execute and Write permissions to a folder, and the Sales Managers
group is allowed Read & Execute and Delete permissions, a user who belongs to
Lesson 2 Configuring File System Permissions 6-21
both groups will have effective permissions equivalent to the Modify permissions
template: Read & Execute, Write and Delete.
■ Deny permissions take precedence over Allow permissions. A permission
that is denied will override a permission entry that allows the same access. Extend-
ing the example above, if the Temporary Employees group is denied Read permis-
sion, and a user is a temporary sales representative, belonging to both Sales Reps
and Temporary Employees, that user will not be able to read the folder.
Note Best practice dictates that you minimize the use of Deny permissions and focus
instead on allowing the minimal resources permissions required to achieve the business
task. Deny permissions add a layer of complexity to the administration of ACLs and should be
used only where absolutely necessary to exclude access to a user who has been granted per-
missions to the resource through other group memberships.
Off the Record If a user is unable to access a resource due to a Deny permission, but
access is desired, you must either remove the Deny permission or remove the user from the
group to which the Deny permission is applied. If the Deny permission is inherited, you may
provide access by adding an explicit Allow permission.
■ Explicit permissions take precedence over inherited permissions. A per-
mission entry that is explicitly defined for a resource will override a conflicting
inherited permission entry. This follows common-sense design principles: A par-
ent folder sets a “rule” through its inheritable permissions. A child object requires
access that is an exception to the rule and so an explicit permission is added to its
ACL. The explicit permission takes precedence.
Tip A result of this dynamic is that an explicit Allow permission will override an inherited
Deny permission.
! Exam Tip To evaluate effective permissions for a user, you must evaluate both share and
NTFS permissions for the user and each group to which the user belongs. In the real world,
you must also evaluate the logon type, the computer, and its group memberships; however,
these are not likely to appear on a certification exam.
To determine effective share permissions, add each allowed permission and then remove
each denied permission. To determine effective NTFS permissions, add each inherited
allowed permission, remove each inherited deny permission, add each explicitly allowed per-
mission, and then remove each explicitly denied permission. Finally, compare the effective
share permissions and the effective NTFS permissions; the most restrictive is the resultant
access for the user.
6-22 Chapter 6 Files and Folders
Evaluating Effective Permissions
Complexity is a possibility, given the extraordinary control over granular permissions
and inheritance that NTFS supports. With all those permissions, users, and groups, how
can you know what access a user actually has?
Microsoft added a long-awaited tool to help answer that question. The Effective Per-
missions tab of the Advanced Security Settings dialog box, shown in Figure 6-8, pro-
vides a reliable approximation of a user’s resulting resource access.
f06nw08
Figure 6-8 The Effective Permissions tab of the Advanced Security Settings dialog box
To use the Effective Permissions tool, click Select and identify the user, group, or built-
in account to analyze. Windows Server 2003 then produces a list of effective permis-
sions. This list is an approximation only. It does not take share permissions into
account, nor does it evaluate the account’s special memberships, such as the following:
■ Anonymous Logon
■ Batch
■ Creator Group
■ Dialup
■ Enterprise Domain Controllers
■ Interactive
■ Network
■ Proxy
■ Restricted
■ Remote Interactive Logon
Lesson 2 Configuring File System Permissions 6-23
■ Service
■ System
■ Terminal Server User
■ Other Organization
■ This Organization
An ACL can contain entries for the Network or Interactive accounts, for example, which
would provide the opportunity for a user to experience different levels of resource
access depending on whether the user was logged on to the machine or using a net-
work client. Because the user in question is not logged on, logon-specific permissions
entries are ignored. Perhaps most important, share permissions are not evaluated; only
NTFS permissions are evaluated. However, as an extra step, you can evaluate effective
permissions, including share permissions or a built-in or special computer account
such as Interactive or Network.
Resource Ownership
Windows Server 2003 includes a special security principal called Creator Owner and an
entry in a resource’s security descriptor that defines the object’s owner. To fully man-
age and troubleshoot resource permissions, you must understand these two parts of
the security picture.
Creator Owner
When a user creates a file or folder (which is possible if that user is allowed Create
Files/Write Data or Create Folders/Append Data, respectively), the user is the creator
and initial owner of that resource. Any permissions on the parent folder assigned to the
special account Creator Owner are explicitly assigned to the user on the new resource.
As an example, assume that a folder allows users to create files (allow Create Files/
Write Data), and the folder’s permissions allows users to Read & Execute and Creator
Owner Full Control. This permission set would allow Maria to create a file. Maria, as
the creator of that file, would have full control of that file. Tia can also create a file
and would have full control of her file. However, Tia and Maria would be able to
only read each other’s files. Tia could, however, change the ACL on the file she cre-
ated to grant Maria greater access; Tia’s full control of her file includes the Change
Permission permission.
Ownership
If for some reason Tia managed to modify the ACL and deny herself Full Control, she
could nevertheless modify the ACL because an object’s owner can always modify its ACL,
preventing users from permanently locking themselves out of their files and folders.
6-24 Chapter 6 Files and Folders
It is best practice to manage object ownership so that an object’s owner is correctly
defined. This is partly because owners can modify ACLs of their objects and partly
because newer technologies, such as disk quotas, rely on the ownership attribute to
calculate disk space used by a particular user. Prior to Windows Server 2003, managing
ownership was awkward. Windows Server 2003 has added an important tool to sim-
plify ownership transfer.
An object’s owner is defined in its security descriptor. The user who creates a file or
folder is its initial owner. Another user can take ownership or be given ownership of
the object using one of the following processes:
■ Administrators can take ownership. A user who belongs to the Administra-
tors group of a system, or who has otherwise been granted the Take Ownership
user right on a system, can take ownership of any object on that system.
To take ownership of a resource, click the Owner tab of the Advanced Security
Settings dialog box as shown in Figure 6-9. Select your user account from the list
and click Apply. Select the Replace Owner On Subcontainers And Objects check
box to take ownership of subfolders and files.
f06nw09
Figure 6-9 The Owner tab of the Advanced Security Settings dialog box
■ Users can take ownership if they are allowed Take Ownership per-
mission. The special permission Take Ownership can be granted to any user
or group. A user with an Allow Take Ownership permission can take ownership
of the resource and then, as owner, modify the ACL to grant himself or herself
sufficient permissions.
■ Administrators can facilitate the transfer of ownership. An administrator
can take ownership of any file or folder. Then, as owner, the administrator can
change permissions on the resource to grant Allow Take Ownership permission to
the new owner, who then can take ownership of the resource.
Lesson 2 Configuring File System Permissions 6-25
■ Restore Files And Directories user right enables the transfer of owner-
ship. A user with the Restore Files And Directories rights may transfer owner-
ship of a file from one user to another. If you have been assigned the Restore Files
And Directories right, you can click Other Users Or Groups and select the new
owner. This capability is new in Windows Server 2003 and makes it possible for
administrators and backup operators to manage and transfer resource ownership
without requiring user intervention.
Practice: Configuring File System Permissions
In this practice, you will use the ACL editor to secure resources, evaluate effective per-
missions, and transfer ownership of files. Be certain that you have configured the user
and group accounts outlined in this chapter’s “Before You Begin” section.
Exercise 1: Configuring NTFS Permissions
1. Open the c:docs folder that you shared in Lesson 1’s practice.
2. Create a folder called Project 101.
3. Create domain local security groups to manage access to the folder. Using Active
Directory Users And Computers, create the following domain local security groups
in the Security Groups OU: Project 101 Contributors and Project 101 Editors.
4. To manage access using these groups, add global groups representing employee
roles to the two domain local groups you just created. Add the Project 101 Team
global group to the Project 101 Contributors group. Add the Managers group to
the Project 101 Editors group.
5. In Windows Explorer, open the ACL editor by right-clicking the Project 101 folder,
choosing Properties, and clicking the Security tab.
6. Configure the folder so that the folder allows the access outlined in the table
below. This will require you to consider and configure inheritance and permis-
sions for groups.
Security Principal Access
Administrators Full Control
Project 101 Contributors Can read data, add files and folders, and have full control of the
files and folders they create.
Project 101 Editors Can read and modify all files but cannot delete any files that
they did not create. Have full control of the files and folders
they create.
System Services running as the System account should have full control.
6-26 Chapter 6 Files and Folders
When you believe you have configured correct permissions, click Apply and click
Advanced. Compare the Advanced Security Settings dialog box to the dialog box
shown in Figure 6-10.
To configure these permissions, you must disallow inheritance. Otherwise, all users,
not just those in the Project 101 domain local groups, will be able to read files in the
Project 101 folder. The parent folder, c:docs, is propagating the Users: Allow Read &
Execute permission. The only way to prevent this access is to deselect the Allow Inher-
itable Permissions From The Parent option. Notice that the requirements did not spec-
ify that you needed to prevent Users from reading, but it was also not indicated that
Users required read access, and it is a security best practice to permit only the mini-
mum required access.
After disallowing inheritance, the Advanced Security Settings dialog box should look
like the dialog box in Figure 6-10.
f06nw10
Figure 6-10 The Permissions tab of the Advanced Security Settings dialog box
The option to allow inheritance has been deselected and all permissions are shown as
<not inherited>. Administrators, System, and Creator Owner have full control. Remem-
ber that when Creator Owner has full control, a user who creates a file or folder is
given full control of that resource. The Project 101 Contributors group is listed as hav-
ing a special permission entry. If you select that entry and click View/Edit, you will see
the specific permissions assigned to the Project 101 Contributors group should match
the dialog box shown in Figure 6-11.
Lesson 2 Configuring File System Permissions 6-27
f06nw11
Figure 6-11 Special permissions for the Project 101 Contributors group
The Project 101 Editors group has Allow: Read, Write & Execute permission. This tem-
plate includes the permissions to create files and folders and, like Project 101 Contrib-
utors members, if a manager creates a resource, he or she is given the permissions that
are assigned to the Creator Owner special identity for that resource: Full Control. This
permission set does not allow members of the Project 101 Editors group to delete other
users’ files. Remember that the Modify permissions template, which you did not assign,
does include the Delete permission.
Exercise 2: Working with Deny Permissions
1. Assume that a group of contractors is hired. All user accounts for contractors are
members of the Project Contractors global security group, which belongs to the
Contractors Restricted Access domain local security group. Users in the Project
Contractors group, and thereby the Contractors Restricted Access group, do not
belong to any other group in the domain. What must you do to prevent contrac-
tors from accessing the Project 101 folder you secured in the previous exercise?
Nothing. Because contractors do not belong to other groups in the domain, they do not have
permissions given to them by the current ACL that would allow any resource access. It is there-
fore not necessary to deny permissions.
2. Assume that some user accounts, such as Scott Bishop’s account, belong to both
the Project Contractors group and the Project 101 Team group, which itself is a
member of the Project 101 Contributors group. What must be done to prevent
access by contractors?
In this case, you must assign Deny permissions to the Contractors Restricted Access group.
Because they will receive Allow permissions assigned to the other Project 101 Contributors
group, you must override those permissions with Deny permissions.
6-28 Chapter 6 Files and Folders
3. Create a domain local security group named Contractors Restricted Access. Add
the Project Contractors global group as a member.
4. Configure the Project 101 folder to deny Full Control to the Contractors Restricted
Access group.
Exercise 3: Effective Permissions
1. Open the Advanced Security Settings dialog box for the Project 101 folder by
opening the folder’s properties, clicking Security, then clicking Advanced.
2. Click the Effective Permissions tab.
3. Select each of the following users and verify their permissions.
User Effective Permissions
Scott Bishop No permissions
Dan Holme No permissions
Danielle Tiedt Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Read Permissions
Lorrin Smith-Bates Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Read Permissions
If these permissions do not match yours, there is an error in either the permission
list (in which case, go back to Exercises 1 and 2) or in groups and group member-
ship (in which case, see this chapter’s “Before You Begin” section). Correct any
errors and reverify effective permissions until they match these.
Exercise 4: Ownership
1. Log on as Danielle Tiedt.
2. Open the shared folder by connecting to Server01Docs.
Lesson 2 Configuring File System Permissions 6-29
3. Open the Project 101 folder and create a text file called Report.
4. Open the Advanced Security Settings dialog box for Report.
5. Confirm that all permissions are inherited from the parent folder. What differences
are there in the ACL between this object and the Project 101 folder?
The Project 101 folder grants Full Control to Creator Owner. The Report file grants Full Control
to Danielle. When she created the file, her SID was assigned the permissions granted to the
special Creator Owner group. In addition, the Project 101 Contributors group’s permission to
Create Files and Create Folders is a folder permission, so it does not appear on the ACL of
Report.
6. Log on as Administrator.
7. Open the Advanced Security Settings dialog box for Report.
8. Click the Owner tab.
9. Confirm that Danielle is listed as the current owner.
10. Select your user account and click Apply. You are now the owner of the object.
11. A user with the Restore Files And Directories user right is able to transfer owner-
ship to another user. Click Other Users Or Group and select Lorrin Smith-Bates.
Once Lorrin’s account is displayed in the Change Owner To list, select it and click
Apply.
12. Confirm that Lorrin is now the owner of the Report.
13. Do you think that Lorrin now has full control of the object? Why or why not? Do
you think that Danielle will keep full control, or will her permissions change? Con-
firm using the Effective Permissions page.
Lorrin does not have full control—only Modify permission. Lorrin is a member of the Managers
group, which has Modify permission. The Full Control permission assigned to Creator Owner is
applied only to a user when the user creates an object.
Note Once an object has been created, changing ownership does not modify the ACL in any
way. However, the new owner (or any user with Allow Change Permissions) can modify the ACL,
as an additional step, to provide himself or herself with sufficient resource access.
6-30 Chapter 6 Files and Folders
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What are the minimum NTFS permissions required to allow users to open docu-
ments and run programs stored in a shared folder?
a. Full Control
b. Modify
c. Write
d. Read & Execute
e. List Folder Contents
2. Bill complains that he is unable to access the department plan. You open the Secu-
rity tab for the plan and you find that all permissions on the document are inher-
ited from the plan’s parent folder. There is a Deny Read permission assigned to a
group to which Bill belongs. Which of the following methods would enable Bill to
access the plan?
a. Modify the permissions on the parent folder by adding the permission
Bill:Allow Full Control.
b. Modify the permissions on the parent folder by adding the permission
Bill:Allow Read.
c. Modify the permissions on the plan by adding the permission: Bill:Allow
Read.
d. Modify the permissions on the plan by deselecting Allow Inheritable Permis-
sions, choosing Copy, and removing the Deny permission.
e. Modify the permissions on the plan by deselecting Allow Inheritable Permis-
sions, choosing Copy, and adding the permission Bill:Allow Full Control.
f. Remove Bill from the group that is assigned the Deny permission.
3. Bill calls again to indicate that he still cannot access the departmental plan. You
use the Effective Permissions tool, select Bill’s account, and the tool indicates that
Bill is, in fact, allowed sufficient permissions. What might explain the discrepancy
between the results of the Effective Permissions tool and the issue Bill is reporting?
Lesson 2 Configuring File System Permissions 6-31
Lesson Summary
■ NTFS permissions can be configured using the ACL editor, which itself has three
dialog boxes: the Security tab, Advanced Security Settings, and Permission Entry
For.
■ Permissions can be allowed or denied, explicit or inherited. A Deny permission
takes precedence over an Allow permission; and an explicit permission takes pre-
cedence over an inherited permission. The result is that an explicit Allow permis-
sion can override an inherited Deny permission.
■ Inheritance allows an administrator to manage permissions from a single parent
folder that contains files and folders that share common resource access require-
ments. A new object’s ACL will, by default, include the inheritable permissions
from the parent folder.
■ It is possible to change the effect of inherited permissions on an object several
ways. You can modify the parent object’s permission and allow the child object to
inherit the new permission; you can set an explicit permission on the child object,
which will take precedence over the inherited permission; or you can disallow
inheritance on the object and configure an ACL with explicit permissions that
define resource access.
■ The Effective Permissions tab of the Advanced Security Settings dialog box is a
useful tool that provides an approximation of resource access for a user or a group
by analyzing that account’s permissions as well as the permissions of groups to
which that account belongs.
■ The owner of an object can modify the object’s ACL at any time. A user that is
allowed Take Ownership permission may take ownership of the object, and
administrators may take ownership of any object on the system. Administrators,
Backup Operators, and other accounts that have been given the Restore Files And
Directories user right can transfer ownership of a file or folder from the current
owner to any other user or group.
6-32 Chapter 6 Files and Folders
Lesson 3: Auditing File System Access
Many organizations elect to audit file system access to provide insight into resource uti-
lization and potential security vulnerabilities. Windows Server 2003 supports granular
auditing based on user or group accounts and the specific actions performed by those
accounts. To configure auditing, you must complete three steps: specify auditing set-
tings, enable audit policy, and evaluate events in the security log. This lesson will
explore these three processes and provide guidance to effective auditing so that you
can leverage auditing to meet business requirements without being drowned in logged
events.
After this lesson, you will be able to
■ Configure audit settings on a file or folder
■ Enable auditing on a stand-alone server or for a collection of servers
■ Examine audited events in the Security log
Estimated lesson time: 20 minutes
Configuring Audit Settings
To specify the actions you wish to monitor and track, you must configure audit settings
in the file’s or folder’s Advanced Security Settings dialog box. The Auditing tab, shown
in Figure 6-12, looks strikingly similar to the Permissions tab before it. Instead of add-
ing permissions entries, however, you add auditing entries.
f06nw12
Figure 6-12 Auditing tab of the Advanced Security Settings dialog box
Click Add to select the user, group, or computer to audit. Then, in the Auditing Entry
dialog box, as shown in Figure 6-13, indicate the permission uses to audit.
Lesson 3 Auditing File System Access 6-33
f06nw13
Figure 6-13 Auditing Entry dialog box
You are able to audit for successes, failures, or both as the account attempts to access
the resource using each of the granular permissions assigned to the object.
Successes can be used to audit the following:
■ To log resource access for reporting and billing
■ To monitor for access that would indicate that users are performing actions greater
than what you had planned, indicating permissions are too generous
■ To identify access that is out of character for a particular account, which might be
a sign that a user account has been breached by a hacker
Auditing for failed access allows you:
■ To monitor for malicious attempts to access a resource to which access has been
denied.
■ To identify failed attempts to access a file or folder to which a user does require
access. This would indicate that permissions are not sufficient to achieve a busi-
ness task.
Audit settings, like permissions, follow rules of inheritance. Inheritable auditing set-
tings are applied to objects that allow inheritance.
Note Audit logs have the tendency to get quite large quite rapidly, so a golden rule for
auditing is to configure the bare minimum required to achieve the business task. Specifying
to audit successes and failures on an active data folder for the Everyone group using Full
Control (all permissions) would generate enormous audit logs that could affect the perfor-
mance of the server and would make locating a specific audited event all but impossible.
6-34 Chapter 6 Files and Folders
Enabling Auditing
Configuring auditing entries in the security descriptor of a file or folder does not, in
itself, enable auditing. Auditing must be enabled through policy. Once auditing is
enabled, the security subsystem begins to pay attention to the audit settings and to log
access as directed by those settings.
Audit policy can be enabled on a stand-alone server using the Local Security Policy
console and on a domain controller using the Domain Controller Security Policy con-
sole. Select the Audit Policy node under the Local Policies node and double-click the
policy, Audit Object Access. Select Define These Policy Settings and then select
whether to enable auditing for successes, failures, or both.
Note Remember that the access that is audited and logged is the combination of the audit
entries on specific files and folders and the settings in Audit Policy. If you have configured
audit entries to log failures, but the policy enables only logging for successes, your audit logs
will remain empty.
You may also enable auditing for one or more computers using Active Directory Group
Policy Objects (GPOs). The Audit Policy node is located under Computer Configura-
tion, Windows Settings, Security Settings, Local Policies, Audit Policy. Like all group
policies, the computers that are affected by the policy will be those contained within
the scope of the policy. If you link a policy to the Servers OU and enable auditing, all
computers objects in the Servers OU will begin to audit resource access according to
audit entries on files and folders on those systems.
Examining the Security Log
Once audit entries have been configured on files or folders, and auditing object access
has been enabled through local or Group Policy, the system will begin to log access
according to the audit entries. You can view and examine the results using Event
Viewer and selecting the Security log, as shown in Figure 6-14.
As you can see, the Security log can be quite busy, depending on the types of auditing
being performed on the machine. You can sort the events to help you identify object
access events by clicking the Category column header and locating the Object Access
events.
Lesson 3 Auditing File System Access 6-35
f06nw14
Figure 6-14 The Security log in Event Viewer
Sorting will, however, provide little assistance as you dig through the logged events.
You will often be better served by filtering the event log, which can be done by choos-
ing the Filter command from the View menu or alternatively by selecting the Security
log, then Properties from the Action or shortcut menus, and then clicking the Filter tab.
The Filter tab enables you to specify criteria including the event type, category, source,
date range, user, and computer. Figure 6-15 illustrates an example of a filter applied to
identify object access audit events on a specific date.
f06nw15
Figure 6-15 The Filter tab
Finally, you have the option to export the Security log by selecting the Save Log File As
command from the log’s context menu. The native event log file format takes an .evt
extension. You can open that file with Event Viewer on another system. Alternatively,
you can save the log to tab-delimited or comma-delimited file formats, which can be
6-36 Chapter 6 Files and Folders
read by a number of analysis tools, including Microsoft Office Excel. In Office Excel,
you can, of course, apply filters as well to search for more specific information such as
the contents of the event’s Description field.
Practice: Auditing File System Access
In this practice, you will configure auditing settings, enable audit policies for object
access, and filter for specific events in the security log. The business objective is to
monitor the deletion of files from an important folder to ensure that only appropriate
users are deleting files.
Exercise 1: Configure Audit Settings
1. Log on as Administrator.
2. Open the Advanced Security Settings dialog box for the C:DocsProject 101 folder.
3. Click the Auditing tab.
4. Add an audit entry to track the Project 101 Contributors group. Specify that you
wish to monitor Success and Failure of the Delete permission.
Exercise 2: Enable Audit Policy
Because you are logged on to a domain controller, you will use the Domain Controller
Security Policy console to enable auditing. On a stand-alone server, you would use
Local Security Policy. You could also leverage GPOs to enable auditing.
1. Open Domain Controller Security Policy from the Administrative Tools folder.
2. Expand Local Policies and select Audit Policy.
3. Double-click Audit Object Access.
4. Select Define These Policy Settings.
5. Specify to enable auditing for both success and failure audit entries.
6. Click OK, and then close the console.
7. To refresh the policy, and to ensure that all settings have been applied, open a
command prompt and type the command gpupdate.
Exercise 3: Generate Audit Events
1. Log on as Danielle Tiedt.
2. Connect to Server01DocsProject 101.
3. Delete the Report text file.
Lesson 3 Auditing File System Access 6-37
Exercise 4: Examine the Security Log
1. Log on as Administrator.
2. Open Event Viewer from the Administrative Tools folder.
3. Select the Security log.
4. What types of events do you see in the Security log? Only Object Access events?
Other types of events? Remember that policies can enable auditing for numerous
security-related actions, including directory service access, account management,
logon, and more.
5. To filter the log and narrow the scope of your search, choose the Filter command
from the View menu.
6. Configure the filter to be as narrow as possible. What do you know about the
event you are trying to locate? You know it is a success or failure audit; that it is
an Object Access event category; and that it occurred today. Check your work by
referring to Figure 6-15.
7. Click Apply.
8. Can you more easily locate the event that marked Danielle’s deletion of the Report
file? Open the event and look at its contents. The description indicates the user
and the file and the action. You could not filter for contents of the description in
Event Viewer, but you could do so by exporting the file to a log analysis tool or to
Microsoft Office Excel.
9. (Optional) If you have access to Microsoft Office Excel, right-click the Security log
node and choose Save Log File As. Enter a name and select Comma-Delimited as
the file type. Open the file in Office Excel.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. Which of the following must be done to generate a log of resource access for a file
or folder? Select all that apply.
a. Configure NTFS permissions to allow the System account to audit resource
access.
b. Configure audit entries to specify the types of access to audit.
c. Enable the Audit Privilege Use policy.
d. Enable the Audit Object Access policy.
6-38 Chapter 6 Files and Folders
2. Which of the following are valid criteria for a security log filter to identify specific
file and folder access events? Select all that apply.
a. The date of the event
b. The user who generated the event
c. The type of object access that generated the event
d. Success or failure audit
3. Users at Contoso, Ltd. use Microsoft Office applications to access resources on
Server01. Your job is to monitor Server01 to ensure that permissions are not too
restrictive so that users are not prevented from achieving their assignments. Which
log, and which type of event, will provide the information you require?
a. Application log; Success Event
b. Application log; Failure Event
c. Security log; Success Event
d. Security log; Failure Event
e. System log; Success Event
f. System log; Failure Event
Lesson Summary
■ Audit entries are contained in the security descriptor of files and folders on NTFS
volumes. They are configured using Windows Explorer, from the properties of a
file or folder, using the Advanced Security Settings dialog box.
■ Audit entries alone do not generate audit logs. You must also enable the Audit
Object Access policy from Local Security Policy, the Domain Controller Security
Policy, or a GPO.
■ The Security log, viewable with the Event Viewer snap-in, allows you to locate
and examine object access events.
Lesson 4 Administering Internet Information Services 6-39
Lesson 4: Administering Internet Information Services
Lesson 1 discussed the issues related to sharing a folder so that users, with the Client
For Microsoft Networks, can access resources on a server running the File And Print
Sharing For Microsoft Networks service. That is, however, only one means by which
users can access the files and folders they require. It is also possible to enable access
through Internet technologies such as FTP and Web (HTTP) services. As more applica-
tions and collaboration activities become focused on the Web for delivery, it becomes
increasingly important to be able to maintain and secure a Web server. Windows Server
2003 delivers a significantly improved Internet Information Services (IIS).
In this lesson, you will learn how to configure and manage IIS. You will discover how
to configure Web and FTP sites, virtual directories, and IIS security.
See Also For more information about IIS, see the Microsoft IIS 6.0 Administrator’s Pocket
Consultant (Microsoft Press, 2003).
After this lesson, you will be able to
■ Install IIS
■ Set up a Web and FTP site
■ Configure a Web default content page
■ Create a Web virtual directory
■ Modify IIS authentication and security settings
■ Back up the IIS metabase
Estimated lesson time: 20 minutes
Installing IIS 6.0
To decrease the attack surface of a Windows Server 2003 system, IIS is not installed by
default. It must be added using the Add/Remove Windows Components Wizard from
Add Or Remove Programs, located in Control Panel. Select Application Server, click
Details, and then select Internet Information Services (IIS). You can control the sub-
components of IIS that are installed, but unless you are very familiar with the role of
subcomponents, do not remove any default components. However, you might want to
add components such as ASP.NET, FTP, or Microsoft FrontPage Server Extensions.
6-40 Chapter 6 Files and Folders
Administering the Web Environment
When IIS is installed, a default Web site is created, allowing you to implement a Web
environment quickly and easily. However, you can modify that Web environment to
meet your needs. Windows Server 2003 provides the tools necessary to administer IIS
and its sites.
After installation has completed, you may open the Internet Information Services (IIS)
Manager console from the Administrative Tools group. By default, IIS is configured to
serve only static content. To enable dynamic content, select the Web Service Extensions
node. As shown in Figure 6-16, all the extensions are prohibited by default. Select the
appropriate extension, and then click Allow.
f06nw16
Figure 6-16 The Internet Information Services (IIS) Manager snap-in
The fundamental processes that take place as a client accesses a resource from IIS are
■ The client enters a URL (Universal Resource Locator) in either of the following
forms:
❑ http://dns.domain.name/virtualdirectory/page.htm
❑ ftp://dns.domain.name/virtualdirectory
■ Domain Name System (DNS) resolves the name to an IP address and returns the
address to the client.
■ The client connects to the server’s IP address, using a port that is specific to the
service (typically, port 80 for HTTP and port 21 for FTP).
■ The URL does not represent the physical path to the resource on the server, but a
virtualization of the path. The server translates the incoming request into the phys-
ical path and produces appropriate resources to the client. For example, the server
Lesson 4 Administering Internet Information Services 6-41
might list files in the folder to an FTP client or might deliver the home page to an
HTTP client.
■ The process can be secured with authentication (credentials, including a user
name and password) and authorization (access control through permissions).
You can see this process in action by opening a browser and typing http://server01.
The server produces the Under Construction page to the client browser.
Configuring and Managing Web and FTP Sites
IIS installation configures a single Web site, the Default Web Site. Although IIS,
depending on your server’s hardware configuration, can host thousands, or tens of
thousands of sites, the Default Web Site is a fine place to explore the functionality and
administration of Web sites on IIS. This default Web site is accessible if you open a
browser and type the URL: http://server01.contoso.com. The page that is fetched is
the Under Construction page.
Remember that a browser’s request to a Web server is directed at the server’s IP
address, which was resolved from the URL by DNS. The request includes the URL, and
the URL often includes only the site name (www.microsoft.com, for example). How
does the server produce the home page? If you examine the Web Site tab of the Default
Web Site Properties, as shown in Figure 6-17, you see that the site is assigned to All
Unassigned IP addresses on port 80. So the request from the browser hits port 80 on
the server, which then identifies that it is the Default Web Site that should be served.
f06nw17
Figure 6-17 The Web Site tab of the Default Web Site Properties dialog box
The next question, then, is what information should be served. If the URL includes only
the site name (for example, www.microsoft.com or server01.contoso.com), then the
page that will be returned is fetched from the home directory. The Home Directory tab,
6-42 Chapter 6 Files and Folders
as shown in Figure 6-18, displays the physical path to the home directory, typically
c:inetpubwwwroot.
f06nw18
Figure 6-18 The Home Directory tab of the Default Web Site Properties dialog box
Which file, exactly, should be returned to the client? That is defined in the Documents
tab, as shown in Figure 6-19. IIS searches for files in the order in which they are listed.
As soon as it finds a file of that name in the local path of the home directory, that page
is returned to the client and the server stops looking for other matches. If no match is
found, the IIS returns an error (404–File Not Found) to the client, indicating that the
page could not be found.
f06nw19
Figure 6-19 The Documents tab of the Default Web Site Properties dialog box
A browser could, of course, refer to a specific page in the URL, for example http:
//server01.contoso.com/contactinfo.htm. In that event, the specific page is fetched
from the home directory. If it is not found, a File Not Found error (404) is returned.
Lesson 4 Administering Internet Information Services 6-43
To create a Web site, right-click the Web Sites node or an existing Web site in IIS Man-
ager and choose New Web Site. To configure a Web site, open its Properties. You can
configure the IP address of the site. If a server has multiple IP addresses, each IP
address can represent a separate Web site. You can also configure the path to the direc-
tory that is used as the home directory. And you can modify the list or order of docu-
ments that can be fetched as the default content page.
Often, a server will host multiple sites on a single IP address. You can do this by assign-
ing a unique port to each site. If, for example, a Web site is created and assigned to
port 8080, the port must be specified in the URL submitted by clients—for example:
http://server.contoso.com:8080.
Alternatively, you can host multiple sites on a single IP address by configuring host
headers. The client browser must support host headers, and all contemporary brows-
ers, including Internet Explorer and Mozilla Firefox, support host headers. The client
browser includes the URL—http://www.contoso.com, for example—in its HTTP
request. The server then uses the host header to identify which Web site to serve to the
client. Ensure that each Web site has a unique DNS entry pointing to the same IP
address. Then configure each site with host headers.
A URL can also include more complex path information, such as http: //www.microsoft
.com/windowsserver2003. This URL is not requesting a specific page; there is no
extension such as .htm or .asp on the end of the URL. Instead, it is requesting infor-
mation from the windowsserver2003 directory. The server evaluates this additional
component of the URL as a virtual directory. The folder that contains the files
referred to as windowsserver2003 can reside anywhere; they do not have to be
located on the IIS server.
To create a virtual directory, right-click a Web site and choose New Virtual Directory.
The wizard will prompt you for the alias, which becomes the folder name used in the
URL, and the physical path to the resource, which can be on a local volume or remote
server.
Tip You can also create a Web virtual directory on an NTFS drive by right-clicking a folder in
Windows Explorer, choosing Properties, and then clicking the Web Sharing tab.
FTP sites work, and are administered, similarly to Web sites. IIS installs one FTP site,
the Default FTP Site, and configures it to respond to all incoming FTP requests (all
unassigned addresses, port 21). The FTP site returns to the client a list of files from the
folder specified in the Home Directory tab. FTP sites can also include virtual directories
so that, for example, ftp://server01.contoso.com/pub can return resources from a differ-
ent server than ftp://server01.contoso.com/vendor− uploads. FTP URLs and sites do not
use default documents.
6-44 Chapter 6 Files and Folders
Complex IIS servers might host tens of thousands of sites, each with customized set-
tings to make them tick. Losing all that configuration information could be painful, so
although a normal file system backup might allow you to restore the data files after a
failure, the configuration would be lost. To back up or restore IIS configuration, you
must back up or restore the metabase and the schema, Extensible Markup Language
(XML) documents that are used to store settings.
To manually back up the IIS configuration, complete the following steps:
1. Right-click the server node in IIS Manager and, from the All Tasks menu, choose
Backup/Restore Configuration. Click Create Backup. When prompted, enter a
name for the backup and click OK.
The metabase and schema are backed up to the directory %Windir%System32
InetsrvMetaback.
2. Use any backup procedure to back up the contents of the Metaback directory.
Tip The IISBack.vbs command supports the backup and restore of IIS configuration from a
command line. See Windows Server 2003 Product Help for details.
Note Backing up IIS configuration does not back up Web site content. Use any backup pro-
cedure, such as those discussed in Chapter 7, to back up content.
Securing Files on IIS
Security for files accessed by way of IIS falls into several categories: authentication,
authorization through NTFS permissions, and IIS permissions. Authentication is, of
course, the process of evaluating credentials in the form of a user name and password.
By default, all requests to IIS are serviced by impersonating the user with the IUSR
_computername account. Before you begin restricting access of resources to specific
users, you must create domain or local user accounts and require something more than
Anonymous authentication.
Configuring Authentication Methods
You may configure the following authentication methods in the Directory Security tab
of the server, a Web (or FTP) site, a virtual directory, or a file:
Web Authentication Options
■ Anonymous authentication Users may access the public areas of your Web
site without a user name or password.
Lesson 4 Administering Internet Information Services 6-45
■ Basic authentication Requires that a user have a local or domain user account.
Credentials are transmitted in clear text.
■ Digest authentication Offers the same functionality as Basic authentication
while providing enhanced security in the way that a user’s credentials are sent
across the network. Digest authentication relies on the HTTP 1.1 protocol.
■ Advanced Digest authentication Works only when the user account is part of
Active Directory. Collects user credentials and stores them on the domain control-
ler. Advanced Digest authentication requires the user to be using Internet Explorer
5 or later and the HTTP 1.1 protocol.
■ Integrated Windows authentication Collects information through a secure
form of authentication (sometimes referred to as Windows NT Challenge/
Response authentication) where the user name and password are hashed before
being sent across the network.
■ Certificate authentication Adds Secure Sockets Layer (SSL) security through
client or server certificates, or both. This option is available only if you have Cer-
tificate Services installed and configured.
■ .NET Passport authentication Provides a single sign-in service through SSL,
HTTP redirects, cookies, Microsoft JScript, and strong symmetric key encryption.
Tip You must disable Anonymous authentication and configure at least one of the other
authentication options for NTFS permissions to be effective. If users accessing the site are
authenticating anonymously, authorization using NTFS permissions is not possible.
FTP Authentication Options
■ Anonymous FTP authentication Gives users access to the public areas of your
FTP site without prompting them for a user name or password.
■ Basic FTP authentication Requires users to log on with a user name and pass-
word corresponding to a valid Windows user account.
Defining Resource Access with Permissions
Once authentication has been configured, permissions are assigned to files and folders.
A common way to define resource access with IIS is through NTFS permissions. NTFS
permissions, because they are attached to a file or folder, act to define access to that
resource regardless of how the resource is accessed.
IIS also defines permissions on sites and virtual directories. Although NTFS permissions
define a specific level of access to existing Windows user and group accounts, the
6-46 Chapter 6 Files and Folders
directory security permissions configured for a site or virtual directory apply to all
users and groups.
! Exam Tip If IIS permissions and NTFS permissions are both in place, the effective permis-
sions will be the more restrictive.
Table 6-2 details Web permission levels. You can set these permissions in the Virtual
Directory or Home Directory tabs of the properties dialog box for a virtual directory or
a Web site.
Table 6-2 IIS Directory Permissions
Permission Explanation
Read (default) Users can view file content and properties.
Write Users can change file content and properties.
Script Source Access Users can access the source code for files, such as the scripts in an
Active Server Pages (ASP) application. This option is available only if
either Read or Write permissions are assigned. If Read permission is
assigned, source code can be read. If Write permission is assigned,
source code can be written to as well. Be aware that allowing users to
have read and write access to source code can compromise the security
of your server.
Directory Browsing Users can view file lists and collections.
The Execute permissions control the security level of script execution and are as
described in Table 6-3. You can set these permissions in the Virtual Directory or Home
Directory tabs of the properties dialog box for a virtual directory or a Web site.
Table 6-3 Application Execute Permissions
Permission Explanation
None Set permissions for an application to None to prevent any programs
or scripts from running.
Scripts Only Set permissions for an application to Scripts Only to enable appli-
cations mapped to a script engine to run in this directory without
having permissions set for executables. Setting permissions to
Scripts only is more secure than setting them to Scripts and Execut-
ables because you can limit the applications that can be run in the
directory.
Scripts and Executables Set permissions for an application to Scripts and Executables to
allow any application to run in this directory, including applications
mapped to script engines and Windows binaries (.dll and .exe files).
Lesson 4 Administering Internet Information Services 6-47
New in SP1!
Windows Firewall, introduced by SP1 and disabled by default following Post-
Setup Security Updates, will prevent inbound connections to services on an IIS
server. Be certain to understand the exceptions you must configure for ports and
applications. Among the most common exceptions are:
■ Web sites: Browsers using HTTP typically connect to port 80. Port 80 must be
open to TCP connections for basic Web services to function.
■ Web-based services: Many native Web-based services require authentication
and encryption using HTTPS, which uses port 443 for TCP traffic. These ser-
vices include Internet printing (IPP), discussed in Chapter 8, WebDAV, BITS,
FrontPage 2002 Server Extensions, and the IIS Remote Administration tools.
■ Remote Desktop Web Connection: Ports 80, 443, and 3389 must be open for
TCP for clients to successfully connect to a Windows server running terminal
services. Ports 80 and 443 support the Web site itself, and port 3389 enables
Remote Desktop traffic. In addition, port 135 must be open for TCP if Termi-
nal Services Licensing is required. See Chapter 2 for more information about
Terminal Services.
■ FTP traffic requires port 21 for TCP connections.
Finally, it is common to create an exception for Remote Administration (ports 135
and 445) and to allow incoming ping requests, an ICMP exception.
Practice: Administering IIS
In this practice, you will install IIS and configure a new Web site and virtual directory.
Exercise 1: Install IIS
1. Open Add Or Remove Programs from Control Panel and click Add/Remove
Windows Components.
2. Select Application Server and click Details.
3. Select Internet Information Services (IIS) and click Details.
4. Ensure that, at a minimum, Common Files, File Transfer Protocol (FTP) Service,
World Wide Web Service, and Internet Information Services Manager are selected.
5. Complete the installation.
6-48 Chapter 6 Files and Folders
Exercise 2: Prepare Simulated Web Content
1. Create a folder on the C drive called ContosoCorp.
2. Open Notepad and create a file with the text “Welcome to Contoso.” Save the file
as “C:ContosoCorpDefault.htm” being certain to surround the name with
quotation marks.
3. Create a second file with the text “This is the site for Project 101.” Save the file as
“C:DocsProject 101Default.htm” being certain to surround the name with
quotation marks.
Exercise 3: Create a Web Site
1. Open the Internet Information Services (IIS) Manager snap-in from the Adminis-
trative Tools group.
2. Right-click the Default Web Site and choose Stop.
3. Right-click the Web Sites node and choose New Web Site.
4. Give the site the description Contoso and the path C:ContosoCorp. All other
default settings are acceptable.
Exercise 4: Create a Secure Virtual Directory
1. Right-click the Contoso site and choose New Virtual Directory.
2. Enter the alias Project101 and the path C:DocsProject 101 in the Virtual Direc-
tory Creation Wizard. Accept the other defaults.
3. Open the properties of the Project101 virtual directory.
4. Click Directory Security.
5. In the Authentication and Access Control frame, click Edit.
6. Deselect the option to enable anonymous access. Permission to the files in the site
will now require valid user accounts. Click OK twice.
7. Open Internet Explorer and type http://server01.contoso.com. The Welcome
To Contoso page should appear.
8. Type the URL http://server01.contoso.com/Project101. You will be prompted
for credentials. Log on as Scott Bishop and the Project101 home page appears.
9. Change the permissions on the C:DocsProject 101Default.htm document so
that only Administrators can read the document.
10. Close and reopen Internet Explorer. Connect to http://server01.contoso.com
/Project101 and authenticate as Administrator. The page should appear.
Lesson 4 Administering Internet Information Services 6-49
11. Close and reopen Internet Explorer again. Now, connect to the same URL as Scott
Bishop. You should receive an Access Denied error (401– Unauthorized).
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. You’re setting up a Web site in IIS on Server01. The site’s Internet domain name is
adatum.com, and the site’s home directory is C:WebAdatum. Which URL should
Internet users use to access files in the home directory of the site?
a. http://server01.web.adatum
b. http://web.adatum.com/server01
c. http://server01.adatum/home
d. http://server01.adatum.com
2. Data for your corporate intranet is currently stored on the D drive of your IIS
server. It is decided that the HR department will serve information about the com-
pany benefits and policies from its server, and that the URL to access the HR infor-
mation should be http://intranet.contoso.com/hr. What do you need to configure?
a. A new Web site
b. A new FTP site
c. A virtual directory from file
d. A virtual directory
3. You want to ensure the highest level of security for your corporate intranet with-
out the infrastructure of certificate services. The goal is to provide authentication
that is transparent to users and to allow you to secure intranet resources with the
group accounts existing in Active Directory. All users are within the corporate fire-
wall. Which authentication method should you choose?
a. Anonymous Access
b. Basic Authentication
c. Digest Authentication
d. Integrated Windows Authentication
6-50 Chapter 6 Files and Folders
Lesson Summary
■ IIS is not installed by default. You can install it using the Windows Components
Wizard through Add Or Remove Programs.
■ A Web or FTP site’s home directory is the physical location of resources to be
served by that site.
■ A virtual directory is an alias and a path that points the IIS server to the location
of resources. The URL takes the form http://server.dns.name/virtualdirectory. The
resources can be located on a local volume or remote server.
■ IIS supports multiple levels of authentication. By default, Anonymous Authentica-
tion allows any connecting user to access public areas of the site, and Integrated
Windows Authentication allows you to assign NTFS permissions to resources that
you wish to secure further.
■ Access to IIS resources on NTFS volumes is controlled by ACLs, exactly as if the
resource were being accessed by Client For Microsoft Networks.
■ IIS has directory and application permissions. If both IIS permissions and NTFS
permissions are applied, the more restrictive permissions are effective.
Case Scenario Exercise
Note This Case Scenario exercise is designed to prepare for and to complement the follow-
ing “Troubleshooting Lab” section. It is recommended that you complete both exercises to
gain the maximum learning from these hands-on experiences with Windows Server 2003 file
system security.
You must have IIS installed (see Lesson 4, Exercise 1) and have created the group and user
accounts as described in this chapter’s “Before You Begin” section.
Contoso, Ltd wants to configure an intranet site for company and departmental news.
The specifications call for the site to be easy to use by both employees and the mana-
gers, who will be responsible for updating the news documents. All employees will use
the latest version of Internet Explorer to browse the intranet. Managers will use other
tools to create Web pages.
Exercise 1: Create Shared Folders and Sample Web Content
Note There are obviously many ways to create and share folders. In this exercise, please
use the methods described.
Chapter 6 Files and Folders 6-51
1. Open the command prompt.
2. Type the following commands:
md c:ContosoIntranetNews
net share News=c:ContosoIntranetNews
3. Open Notepad and create a file with the text “Contoso Company News.” Save the
file as “C:ContosoIntranetNewsDefault.htm”, being certain to surround the
name with quotation marks.
4. Add the following permission to the C:ContosoIntranetNews folder:
Managers: Allow Modify
5. In the C:ContosoIntranetNews folder’s Properties dialog box, click the Web Shar-
ing tab.
6. From the Share On drop-down list, choose Contoso. If you did not complete the
exercises in Lesson 4, you will not have the Contoso Web site; choose the Default
Web Site instead. Click Share This Folder and type the alias News. The default per-
missions are adequate. Click OK.
Exercise 2: Optimize Intranet Access
In this exercise, you will confirm the functionality of the intranet and optimize its ease
of use.
1. Open Internet Explorer and type the URL http://server01.contoso.com/News.
2. You will be prompted for credentials. Authenticate as Administrator. The Contoso
Company News page should appear.
3. Close Internet Explorer.
You are being prompted for credentials because Company News is not allowing
anonymous access. When you create a virtual directory by using the Web Sharing
tab, anonymous access is disabled by default.
4. Using IIS manager, open the properties of the News virtual directory.
5. Click the Directory Security tab and click Edit in the Authentication and Access
Control frame.
6. Enable anonymous access.
7. Repeat steps 1 through 3 to verify that the change was effective.
6-52 Chapter 6 Files and Folders
Exercise 3: Confirm That Managers Can Modify Intranet Contents
Note To simulate remote management of the intranet contents, it is important that you use
the UNC path to the folders and files as instructed. Do not use a local path.
1. Log off Server01 and log on again as the user Lorrin Smith-Bates, who is a member
of the Managers group.
2. Open Notepad and create a document with the text “Good News Contoso!” Save
the document as “server01newsgoodnews.htm”, being certain to sur-
round the name in quotation marks and to use the UNC path, not a local path, to
the news folder.
3. Are you able to save the file?
Continue with the Troubleshooting Lab to identify and solve the problem you just
encountered.
Troubleshooting Lab
Note This Troubleshooting Lab is designed to complement the preceding Case Scenario
Exercise. It is recommended that you complete both exercises to gain the maximum learning
from these hands-on experiences with Windows Server 2003 file system security.
You must have IIS installed (see Lesson 4, Exercise 1) and have created the group and user
accounts as described in this chapter’s “Before You Begin” section. You must also have com-
pleted at least Exercise 1 of the Case Scenario.
Lorrin Smith-Bates calls the help desk and reports that he is unable to save documents
to the intranet news folder. He is creating a Web page in Notepad and saving it to
“server01Newsgoodnews.htm” when the error occurs.
The folder is located at C:ContosoIntranetNews and is shared as News and is config-
ured as a virtual directory, News, for the Contoso Web site. The error message he
receives is an Access Denied message. That indicates that his machine is likely able to
connect to the server, but that a permission or privilege of some kind prevents him
from saving the file.
Log on to Server01 as Administrator to perform these troubleshooting steps.
Chapter 6 Files and Folders 6-53
Step 1: Confirm Group Membership
You are fairly confident that you made Lorrin a member of the Managers group and
that the Managers group has Modify permission to the C:ContosoIntranetNews folder.
How can you confirm Lorrin’s group membership?
The Dsget command, discussed in Chapter 3, can enumerate group memberships.
Open a command prompt and type the command:
dsget user ”CN=Lorrin Smith-Bates,OU=Employees,DC=Contoso,DC=com”
-memberof -expand
You should see these groups listed as well as other groups that might vary depending
on which exercises from this book you have completed.
“CN=Managers,OU=Security Groups,DC=contoso,DC=com”
“CN=Project 101 Team,OU=Security Groups,DC=contoso,DC=com”
“CN=Domain Users,CN=Users,DC=contoso,DC=com”
“CN=Print Operators,CN=Builtin,DC=contoso,DC=com”
“CN=Users,CN=Builtin,DC=contoso,DC=com”
How else can you confirm Lorrin’s group membership? Open Active Directory Users
And Computers and examine the Member Of property page of Lorrin’s Properties dia-
log box.
Step 2: Examine Effective Permissions
Explore the permission assigned to the C:ContosoIntranetNews folder. You should
see, in the Security tab and in the Advanced Security Settings dialog boxes, that Man-
agers are granted Modify permission.
Click the Effective Permissions tab in the Advanced Security Settings dialog box and
select Lorrin’s user account. Examine his effective permissions. The permissions should
suggest that he is allowed to create files and write data in the folder.
Step 3: Evaluate the Situation
If Lorrin does have effective permissions that allow him to create files and write data,
why is he receiving an Access Denied message? If you haven’t figured it out already,
take a moment to review the Lesson Summaries after Lessons 1 and 4.
The problem might lie in other permissions assigned to the C:ContosoIntranetNews
folder. Share permissions and Web site or virtual directory permissions define the max-
imum allowed access, so if one or more of those permissions were configured too
restrictively, it could prevent Lorrin from fully using his NTFS Allow Modify permission.
6-54 Chapter 6 Files and Folders
When Lorrin was saving his Web page in Notepad, he was connecting to the server
remotely. From the following list, identify the client and the service that were involved:
■ FTP Publishing Service
■ Worldwide Web Publishing Service
■ Telnet Service
■ File and Printer Sharing For Microsoft Networks
■ Internet browser client
■ FTP client
■ Telnet client
■ Client For Microsoft Networks
Lorrin is using the Client For Microsoft Networks service to connect to Server01’s File
and Printer Sharing service. You can identify that by examining the path Lorrin speci-
fied to save the file: “server01Newsgoodnews.htm.” It is a UNC path, which will
connect using Microsoft networking.
Knowing that, you can eliminate as a cause of the problem any permissions assigned
to the Web site or to the virtual directory; those permissions apply only to connections
from Web clients to the Web service.
That leaves one possible cause for permission problems: the Share permissions. The
default share permissions in Windows Server 2003 allow the Everyone group only
Read permission. Because share permissions define the maximum allowed access, they
are overriding the folder’s NTFS Allow Modify permission.
Step 4: Solve the Problem
Modify the share permissions on C:ContosoIntranetNews so that Everyone is allowed
Full Control.
Now the business requirements for the intranet news site are that users should only be
able to read documents. The default NTFS permission allows users to create files and
folders and then, of course, as owners of those files and folders, they can do whatever
they please.
Lock down NTFS permissions on the folder so that Users have Read & Execute permis-
sion without the special permissions (Create Files/Write Data; Create Folders/Append
Data).
Confirm your actions by logging on as Scott Bishop. Scott should be able to see http:
//server01.contoso.com/News. If he connects to server01News, he should not be
able to create a new file or modify an existing file.
Chapter 6 Files and Folders 6-55
Then log on as Lorrin. Lorrin should also be able to see the intranet news site, but he
should also be able to create and modify files in the server01News share. You should
be able to create the news document as described in Exercise 3 of the Case Scenario and
then access that document at http://server01.contoso.com/News/goodnews.htm.
Chapter Summary
■ Windows Server 2003 provides new consoles and snap-ins to manage shared fold-
ers, audit policy, and IIS. Windows Explorer is still used, as well as the Shared
Folder snap-in, to manage NTFS ACLs although the ACL editor is significantly
more powerful.
■ NTFS permissions can be allowed or denied, explicit or inherited. A Deny permis-
sion takes precedence over an Allow permission; and an explicit permission takes
precedence over an inherited permission. The result is that an explicit Allow per-
mission can override an inherited Deny permission.
■ Access granted by NTFS permissions might be further restricted by share permis-
sions and IIS permissions on FTP sites, Web sites, virtual directories and docu-
ments. Whenever two permission types are assigned to a resource, such as share
permissions and NTFS permissions, you must evaluate each set of permissions,
then determine which of the two sets is more restrictive. And that is the set that
becomes effective.
■ The security descriptor of a file or folder also includes information about the
object’s owner. The owner, as well as any user with Allow Change permissions,
can modify the ACL. Ownership may be assumed by a user with the Allow Take
Ownership permission or may be transferred between users by anyone with the
Restore Files And Directories user right.
■ The security descriptor also contains auditing entries which, when audit policy is
enabled, directs the system to log the specified types of access for the specified
users or groups.
Exam Highlights
Before taking the exam, review the key topics and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice and review the “Further Reading” sections in Part 2 for pointers to more informa-
tion about topics covered by the exam objectives.
6-56 Chapter 6 Files and Folders
Key Points
■ Familiarize yourself with the tools that are used to configure shared folders, NTFS
permissions, auditing, and IIS. Spend some time with each snap-in, examining the
properties that can be configured and the role those properties play in managing
files and folders.
■ Be fluent in the determination of effective permissions: the interaction of explicit,
inherited, allowed, and denied permissions for multiple users, groups, computers,
and logon types such as Interactive versus Network.
■ Know the three steps required to configure auditing and the strategies you can use
to determine what kind of auditing (success or failure) to engage for a particular
goal.
■ Experience and understand the configuration of a Web site and virtual directory. If
you are not experienced with IIS, be certain to implement the Practice in Lesson 4
as well as the Case Scenario and Troubleshooting Lab.
Key Terms
hidden share A shared folder can be hidden by appending a $ to its share name.
Connections can be made to the share using the share’s UNC (for example,
server01docs$), but the share will not appear on browse lists. Windows Server
2003 creates hidden administrative shares such as Admin$, Print$, and a hidden
share for the root of each disk volume. Only administrators can connect to the hid-
den administrative shares.
inheritance By default, permissions assigned to a folder apply to the folder, its sub-
folders, and files. In addition, files and folders are configured by default to allow
inheritable permissions from their parent folder or volume to propagate to their
ACL. Through these two mechanisms, permissions assigned to a high-level folder
are propagated to its contents.
effective permissions Permissions can be allowed or denied, inherited or explicitly
assigned. They can be assigned to one or more users, groups, or computers. The
effective permissions are the overall permissions that result and determine the
actual access for a security principal.
ownership Each NTFS file or folder maintains a property that indicates the security
principal that owns the resource. The owner is able to modify the ACL of the
object at any time, meaning the owner cannot be locked out of the resource.
Ownership can be taken and transferred based on the Take Ownership permis-
sion and the Restore Files And Directories user right, respectively.
Chapter 6 Files and Folders 6-57
special accounts: Creator Owner, Network, and Interactive These security prin-
cipals are dynamic and represent the relationship between a user and a resource.
When a user creates a file or folder, they are the Creator Owner of that resource,
and any inheritable permissions on the parent folder or volume assigned to Cre-
ator Owner will be explicitly assigned to the user on the new object. Network and
Interactive represent the connection state of the user—whether the user is con-
nected to the resource from a remote client, or is logged on interactively to the
computer that is maintaining the resource.
Audit Object Access policy This policy, available in the Local Security Policy of a
stand-alone computer running Windows Server 2003, or in Group Policy Objects,
determines whether access to files, folders, and printers is registered in the Secu-
rity log. When this policy is enabled, the Auditing Entries for each object deter-
mine the types of activities that are logged.
virtual directory A virtual directory is an IIS object that allows a folder on any local
or remote volume to appear as a subfolder of a Web site.
6-58 Chapter 6 Files and Folders
Questions and Answers
Page Lesson 1 Review
6-11
1. Which of the following tools allows you to administer a share on a remote server?
Select all that apply.
a. The Shared Folders snap-in
b. Windows Explorer running on the local machine, connected to the remote
server’s share or hidden drive share
c. Windows Explorer running on the remote machine in a Terminal Services or
Remote Desktop session
d. The File Server Management console
The correct answers are a, c, and d. Windows Explorer can be used only to administer a
local share, so you would have to run a remote desktop session to the remote server, and
run Windows Explorer in that session to manage that server’s shares. A more common, and
a better, practice is to use the Shared Folders snap-in, which is included in the File Server
Management console.
2. A folder is shared on a FAT32 volume. The Project Managers group is given Allow
Full Control share permission. The Project Engineers group is given Allow Read
share permission. Julie belongs to the Project Engineers group. She is promoted
and is added to the Project Managers group. What are her effective permissions to
the folder?
Full Control
3. A folder is shared on an NTFS volume, with the default share permissions. The
Project Managers group is given Allow Full Control NTFS permission. Julie, who
belongs to the Project Managers group, calls to report problems creating files in
the folder. Why can’t Julie create files?
The default share permission in Windows Server 2003 is Everyone: Allow Read. Share permis-
sions define the maximum effective permissions for files and folders in the share. The share
permissions restrict the NTFS full control permission. To correct the problem, you would need
to modify the share permissions to allow, at a minimum, the Project Managers group Change
permission.
Page Lesson 2 Review
6-30
1. What are the minimum NTFS permissions required to allow users to open docu-
ments and run programs stored in a shared folder?
a. Full Control
b. Modify
Questions and Answers 6-59
c. Write
d. Read & Execute
e. List Folder Contents
The correct answer is d.
2. Bill complains that he is unable to access the department plan. You open the Secu-
rity tab for the plan and you find that all permissions on the document are inher-
ited from the plan’s parent folder. There is a Deny Read permission assigned to a
group to which Bill belongs. Which of the following methods would enable Bill to
access the plan?
a. Modify the permissions on the parent folder by adding the permission
Bill:Allow Full Control.
b. Modify the permissions on the parent folder by adding the permission
Bill:Allow Read.
c. Modify the permissions on the plan by adding the permission Bill:Allow
Read.
d. Modify the permissions on the plan by deselecting Allow Inheritable Permis-
sions, choosing Copy, and removing the Deny permission.
e. Modify the permissions on the plan by deselecting Allow Inheritable Permis-
sions, choosing Copy, and adding the permission Bill:Allow Full Control.
f. Remove Bill from the group that is assigned the Deny permission.
The correct answers are c, d, and f.
3. Bill calls again to indicate that he still cannot access the departmental plan. You
use the Effective Permissions tool, select Bill’s account, and the tool indicates that
Bill is, in fact, allowed sufficient permissions. What might explain the discrepancy
between the results of the Effective Permissions tool and the issue Bill is reporting?
The Effective Permissions tool is only an approximation of a user’s access. It is possible that
a permission entry is assigned to a logon-related account, such as Interactive or Network, that
could be denying access. Permissions for logon groups are not evaluated by the Effective Per-
missions tool. Or, if you are not logged on as a Domain Admin, you might not be able to read
all group memberships, which might skew the resulting permissions report.
Page Lesson 3 Review
6-37
1. Which of the following must be done to generate a log of resource access for a file
or folder? Select all that apply.
a. Configure NTFS permissions to allow the System account to audit resource
access.
b. Configure audit entries to specify the types of access to audit.
6-60 Chapter 6 Files and Folders
c. Enable the Audit Privilege Use policy.
d. Enable the Audit Object Access policy.
The correct answers are b and d.
2. Which of the following are valid criteria for a security log filter to identify specific
file and folder access events? Select all that apply.
a. The date of the event
b. The user that generated the event
c. The type of object access that generated the event
d. Success or failure audit
The correct answers are a, b, and d.
3. Users at Contoso, Ltd use Microsoft Office applications to access resources on
Server01. Your job is to monitor Server01 to ensure that permissions are not too
restrictive so that users are not prevented from achieving their assignments. Which
log, and which type of event, will provide the information you require?
a. Application log; Success Event
b. Application log; Failure Event
c. Security log; Success Event
d. Security log; Failure Event
e. System log; Success Event
f. System log; Failure Event
The correct answer is d.
Page Lesson 4 Review
6-49
1. You’re setting up a Web site in IIS on Server01. The site’s Internet domain name is
adatum.com, and the site’s home directory is C:WebAdatum. Which URL should
Internet users use to access files in the home directory of the site?
a. http://server01.web.adatum
b. http://web.adatum.com/server01
c. http://server01.adatum/home
d. http://server01.adatum.com
The correct answer is d.
Questions and Answers 6-61
2. Data for your corporate intranet is currently stored on the D drive of your IIS
server. It is decided that the HR department will serve information about the com-
pany benefits and policies from its server, and that the URL to access the HR infor-
mation should be http://intranet.contoso.com/hr. What do you need to configure?
a. A new Web site
b. A new FTP site
c. A virtual directory from file
d. A virtual directory
The correct answer is d.
3. You want to ensure the highest level of security for your corporate intranet with-
out the infrastructure of certificate services. The goal is to provide authentication
that is transparent to users and to allow you to secure intranet resources with the
group accounts existing in Active Directory. All users are within the corporate fire-
wall. What authentication method should you choose?
a. Anonymous Access
b. Basic Authentication
c. Digest Authentication
d. Integrated Windows Authentication
The correct answer is d.
Page Case Scenario Exercise 3
6-52
3. Are you able to save the file?
If you followed the instructions of this Case Scenario fully, you should not be able to do so.
7 Backing Up Data
Exam Objectives in this Chapter:
■ Manage backup procedures
❑ Verify the successful completion of backup jobs
❑ Manage backup storage media
■ Configure security for backup operations
■ Schedule backup jobs
■ Restore backup data
Why This Chapter Matters
You’ve worked hard to configure and maintain a best practice server environ-
ment. You have outfitted the server with a sophisticated redundant array of inde-
pendent disks (RAID) subsystem, carefully managed file and share permissions,
locked down the server with policy, and physically secured the server to prevent
unauthorized interactive log on. But today, none of that matters because the
building’s fire sprinklers went off last night, and today your servers are full of
water. All that matters today is that you are able to restore your data from backup.
Among the many high-priority tasks for any network administrator is the creation
and management of a solid backup and restore procedures. Microsoft Windows
Server 2003 offers powerful and flexible tools that will enable you to perform
backups of local and remote data, including open and locked files, and to sched-
ule those backups for periods of low use, such as during the night.
This chapter examines the Ntbackup utility’s graphical user interface (GUI) and
command-line functionality in the protection of data files. You will learn how to
plan an effective backup and media management strategy, how to execute back-
ups, and how to restore data correctly in a variety of scenarios. You will also
leverage the new Volume Shadow Copy Service (VSS) to allow faster recovery of
data lost by administrators and users alike. Later in the book, we will return to
Ntbackup to focus on recovering the operating system during a system restore.
Lessons in this Chapter:
■ Lesson 1: Fundamentals of Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3
■ Lesson 2: Restoring Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-14
■ Lesson 3: Advanced Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . 7-20
7-1
7-2 Chapter 7 Backing Up Data
Before You Begin
For hands-on practice using the examples and lab exercises in the chapter, prepare the
following:
■ Active Directory Users And Computers snap-in
■ A Windows Server 2003 (Standard or Enterprise) installed as Server01 and config-
ured as a domain controller in the domain contoso.com
Lesson 1 Fundamentals of Backup 7-3
Lesson 1: Fundamentals of Backup
At the core of every backup procedure are a backup tool and a backup plan. Windows
Server 2003 provides a robust, flexible utility called Ntbackup. Ntbackup supports
much of the functionality found in third-party tools, including the ability to schedule
backups, and interacts closely with VSS and the Removable Storage Management
(RSM) system. In this lesson, you will examine the conceptual and procedural issues
pivotal to the backing up of data so that you understand the fundamentals of planning
for and creating backup jobs with Ntbackup.
After this lesson, you will be able to
■ Back up data on local and remote computers
■ Understand backup job types
■ Create a backup strategy combining normal and incremental or differential backups
Estimated lesson time: 20 minutes
Introducing the Backup Utility
The backup utility in Windows Server 2003, commonly referred to by its executable
name, Ntbackup, can be opened by clicking Backup in the Accessories–System Tools
program group in the Start menu. Alternatively, it can be launched by typing
ntbackup.exe in the Run dialog box.
The first time you launch the backup utility, it runs in Wizard mode, as shown in
Figure 7-1. This chapter focuses on the more commonly used Backup Utility interface.
If you agree with most administrators that it is easier to use the standard utility than the
wizard, clear the Always Start In Wizard Mode check box, and then click Advanced Mode.
f07nw01
Figure 7-1 The Backup Or Restore Wizard
7-4 Chapter 7 Backing Up Data
As you can see in the utility’s Welcome tab in Figure 7-2, you can back up data manu-
ally (the Backup tab) or use the Backup Wizard. You can also schedule unattended
backup jobs. The Backup Utility is also used to restore data manually (the Restore And
Manage Media tab) or allow you to use the Restore Wizard. The Automated System
Recovery (ASR) Wizard, which backs up critical operating system files, will be dis-
cussed later in Chapter 13, “Recovering from System Failure.”
f07nw02
Figure 7-2 The Welcome tab of the Backup Utility
This lesson focuses on data backup planning and execution, and to explore the capa-
bility of the Backup Utility, we will use the Backup tab, as shown in Figure 7-3, rather
than the Backup Wizard.
f07nw03
Figure 7-3 The Backup tab of the Backup Utility
Lesson 1 Fundamentals of Backup 7-5
Selecting Files to Back Up
You may use the Backup tab to select the files and folders to be backed up. Items may
be on local volumes or in network folders. When you select an entire folder for
backup, a blue check mark appears. If you select only certain items in a folder, the
folder displays a dimmed check mark to indicate a partial backup.
To back up files or folders from remote machines, either select the items from a
mapped drive or expand My Network Places. The latter is the equivalent of using a
Universal Naming Convention (UNC) such as Server01SharenamePath−to−
resource. Although selecting files and folders through My Network Places is more cum-
bersome (you must navigate more levels of the interface to locate the files), it has an
advantage because drive mappings are more likely to change over time than are UNCs.
Tip You can save the set of selected files and folders using the Save Selections command
in the Job menu. You can later load the selections using Load Selections from the Job menu,
saving the time required to recreate your selection.
Selecting the Backup Destination
Windows Server 2003 allows you to create a backup job on a variety of media types: a
tape drive, a removable drive such as the Iomega Jaz drive, and, most important,
directly to file on a disk volume. If the destination is a tape, the name specified must
match the name of a tape that is mounted in the tape device.
If backing up to a file, the Backup Utility creates a .bkf file in the specified location,
which can be a local volume or remote folder. It is not uncommon for administrators
using the Backup Utility to back up a file on each server and consolidate the resulting
files on a central server, which then transfers the backups to removable media. To
achieve such a consolidation, the backup destination is configured as either a UNC to
a single location on a central server or a local file on each server, which is later copied
to a central location.
There are two important limitations of the Backup Utility. First, it does not support
writable DVD and CD formats. To work around this limitation, back up to a file, then
transfer the file to CD or DVD. Second, backing up to any destination except a file
requires that the target media be in a device physically attached to the system. This
means, for example, that you cannot back up data to a tape drive attached to a
remote server.
7-6 Chapter 7 Backing Up Data
Determining a Backup Strategy
After selecting the files to back up and specifying the backup destination, there is at
least one more critical choice to make. Click Start Backup, then click Advanced, and
the Advanced Backup Options dialog box appears, allowing you to specify the backup
type. The backup type determines which of your selected files is in fact transferred to
the destination media.
Each backup type relates in one way or another to an attribute maintained by every
file: archive. The archive (A) attribute is a flag that is set when a file has been created
or changed. To reduce the size and duration of backup jobs, most backup types will
transfer to media only the files that have their archive attribute set. The most common
source of confusion regarding the archive attribute arises from terminology. You will
frequently hear, “The file is marked as backed up,” which really means that the archive
attribute is cleared after a particular backup job. The next job will not transfer that file
to media. If the file is modified, however, the archive attribute will again be set, and the
file will be transferred at the next backup.
! Exam Tip As you explore each backup type, keep track of how the archive attribute is used
and treated by the backup type. You will need to know the advantages and disadvantages of
each backup type and how to fully restore a data structure based on the backup procedures
that have been implemented.
Normal Backups
All selected files and folders are backed up. The archive attribute is cleared. A Normal
backup does not use the archive attribute to determine which files to back up; all
selected items are transferred to the destination media. Every backup strategy begins with
a Normal backup that essentially creates a baseline, capturing all files in the backup job.
Normal backups are the most time-consuming and require the most storage capacity of
any backup type. However, because they generate a complete backup, normal back-
ups are the most efficient type from which to restore a system. You do not need to
restore multiple jobs. Normal backups clear the archive attribute from all selected files.
Incremental Backups
Selected files with the archive attribute set are backed up to the destination media. The
archive attribute is cleared. If you perform an incremental backup one day after a nor-
mal backup has been performed, the job will contain only the files that were created
or changed during that day. Similarly, if you perform an incremental backup one day
after another incremental backup, the job will contain only the files that were created
or changed during that day.
Lesson 1 Fundamentals of Backup 7-7
Incremental backups are the fastest and smallest type of backup. However, they are
less efficient as a restore set because you must restore the normal backup and then
restore, in order of creation, each subsequent incremental backup.
Differential Backups
Selected files with the archive attribute set are backed up. The archive attribute is not
cleared. Because a differential backup uses the archive attribute, the job includes only
files that have been created or changed since the last normal or incremental backup. A
differential backup does not clear the archive attribute; therefore, if you perform differ-
ential backups two days in a row, the second job will include all the files in the first dif-
ferential backup, as well as any files that were created or changed during the second
day. As a result, differential backups tend to be larger and more time-consuming than
incremental backups, but less so than normal backups.
Differential backups are significantly more efficient than incremental backups as a
restore set, however. To fully restore a system, you would restore the normal backup
and the most recent differential backup.
Copy Backups
All selected files and folders are backed up. Copy neither uses nor clears the archive
attribute. Copy backups are not used for typical or scheduled backups. Instead, copy
backups are useful to move data between systems or to create an archival copy of data
at a point in time without disrupting standard backup procedures.
Daily Backups
All selected files and folders that have changed during the day are backed up based on
the files’ modify date. The archive attribute is neither used nor cleared. If you want to
back up all files and folders that change during the day without affecting a backup
schedule, use a daily backup.
Combining Backup Types
Although creating a normal backup every night ensures that a server can be restored
from a single job the next day, a normal backup might take too much time to create,
perhaps causing the overnight job to last well into the morning, thus disrupting perfor-
mance during working hours. To create an optimal backup strategy, you must take into
account the time and size of the backup job, as well as the time required to restore a
system in the event of failure. Two common solutions are:
■ Normal and differential backups On Sunday a normal backup is performed,
and on Monday through Friday nights, differential backups are performed. Differen-
tial backups do not clear the archive attribute, which means that each backup
includes all changes since Sunday. If data becomes corrupt on Friday, you only need
7-8 Chapter 7 Backing Up Data
to restore the normal backup from Sunday and the differential backup from Thurs-
day. This strategy takes more time to back up, particularly if data changes frequently,
but is easier and faster to restore because the backup set is on fewer disks or tapes.
■ Normal and incremental backups On Sunday a normal backup is performed,
and on Monday through Friday incremental backups are performed. Incremental
backups clear the archive attribute, which means that each backup includes only
the files that changed since the previous backup. If data becomes corrupt on Fri-
day, you need to restore the normal backup from Sunday and each of the incre-
mental backups, from Monday through Friday. This strategy takes less time to
back up but more time to restore.
Practice: Performing Different Backup Types
In this practice, you will create several backup jobs, examining the role of the archive
attribute.
Exercise 1: Create Sample Data
1. Open Notepad and create a text file with the following lines. Type each line carefully.
md c:Data
net share data=C:Data
md c:DataFinance
cd c:dataFinance
echo Historical Financial Data > Historical.txt
echo Current Financials > Current.txt
echo Budget > Budget.txt
echo Financial Projections > Projections.txt
2. Save the file as “c:createfiles.bat” including the quotation marks.
3. Open the command prompt and type cd c:.
4. Type the command createfiles.bat.
5. Open Windows Explorer and navigate to the c:datafinance directory. You
should see the following display:
Lesson 1 Fundamentals of Backup 7-9
6. If the Attributes column is not visible, right-click the column headers Date Modi-
g07nw01
fied and select Attributes. The archive attribute is displayed.
Note Leave Windows Explorer open on C:DataFinance. You will refer to it throughout this
practice.
Exercise 2: Perform a Normal Backup
1. Open the Backup Utility by running Ntbackup.exe from the command line or
selecting Backup from the Accessories–System Tools group on the Start menu.
2. Clear the Always Start In Wizard Mode check box.
3. Click Advanced Mode.
4. Click the Backup tab.
5. Expand My Computer, the C drive, and then the Data folder so that you can select
the Finance folder.
The Finance folder has a blue check mark, meaning a complete backup, whereas
its parent folder has a dimmed check mark, indicating a partial backup. Any files
added to the Finance folder will be included in the backup, but any files added to
the Data folder will not.
6. On the Job menu, choose Save Selections.
7. Save the selections as Finance Backup.bks.
8. In the Backup Media Or Filename box, type c:backup-normal.bkf.
Note In production environments, you will be likely to use removable media for backups, but
to keep hardware requirements to a minimum, practices in this lesson will back up and restore
using local files. If you have access to a tape drive, feel free to use it during these practices.
9. Click Start Backup and then click Advanced.
10. Confirm that Normal is selected in the Backup Type drop-down box, and then
click OK.
11. Select Replace The Data On The Media With This Backup and click Start Backup.
12. Observe the Backup Progress dialog box. When the backup is complete, click
Report.
13. Examine the report. No errors should be reported.
14. Close the report and the Backup Utility.
Note that in Windows Explorer, the Attributes column no longer shows the archive
attribute.
7-10 Chapter 7 Backing Up Data
Exercise 3: Perform Differential Backups
1. Open C:DataFinanceCurrent.txt and add some text. Save and close the file.
2. Examine C:DataFinance in Windows Explorer. What files are showing the
archive attribute?
Only the one you just changed.
3. Open the Backup Utility and click the Backup tab.
4. From the Job menu, choose Load Selections to load Finance Backup selections.
5. In the Backup Media Or Filename box, type c:backup-diff-day1.bkf.
6. Click Start Backup.
7. Click Advanced and select Differential as the backup type.
8. Start the backup and, when complete, confirm that no errors occurred.
9. Close the Backup Utility.
10. Examine the folder in Windows Explorer. Which files have their archive attribute set?
The file Current.txt is still flagged for archiving.
11. Open the Budget file and make some changes. Save and close the file. Confirm
that its archive attribute is now set.
12. Repeat steps 3 through 9, creating a backup job in the location: c:backup-diff-
day2.bkf. Be sure to look at the resulting backup report. How many files were
copied for the backup?
Two.
Exercise 4: Perform Incremental Backups
1. Open the Backup Utility and click the Backup tab.
2. From the Job menu, choose Load Selections to load Finance Backup selections.
3. In the Backup Media Or Filename box, type c:backup-inc-day2.bkf.
4. Click Start Backup.
5. Click Advanced and select Incremental as the backup type.
6. Start the backup and, when complete, confirm that no errors occurred.
7. Close the Backup Utility.
8. Examine the folder in Windows Explorer. Which files have their archive attribute set?
None.
Lesson 1 Fundamentals of Backup 7-11
9. Open the Projections file and make some changes. Save and close the file. It
should show the archive attribute in Windows Explorer.
10. Repeat steps 1 through 8, creating a backup job in the location: c:backup-
inc-day3.bkf.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. Which of the following locations are not allowed to be used for a backup of a
Microsoft Windows Server 2003 system?
a. Local tape drive
b. Local CD-RW
c. Local hard drive
d. Shared folder on a remote server
e. Local DVD+R
f. Local removable drive
g. Tape drive on a remote server
2. You are to back up a Windows Server 2003 file server every evening. You perform
a manual, normal backup. You will then schedule a backup job to run every
evening for the next two weeks. Which backup type will complete the fastest?
a. Normal
b. Differential
c. Incremental
d. Copy
3. You are to back up a Windows Server 2003 file server every evening. You perform
a manual, normal backup. You will then schedule a backup job to run every
evening for the next two weeks. Which backup type will provide the simplest
recovery of lost data?
a. Normal
b. Differential
7-12 Chapter 7 Backing Up Data
c. Incremental
d. Daily
4. You are to back up a Windows Server 2003 file server every evening. You perform
a normal backup. On the second evening, you consider whether to use incremen-
tal or differential backup. Will there be any difference in the speed or size of those
two backup jobs? If the server were to fail the following day, would there be any
difference in the efficiency of recovery?
5. Review the steps taken during the Practice. Predict the contents of the following
backup jobs:
❑ backup-normal.bkf
❑ backup-diff-day1.bkf
❑ backup-diff-day2.bkf
❑ backup-inc-day2.bkf
❑ backup-inc-day3.bkf
Are there any differences between the contents of backup-diff-day2 and backup-
inc-day2?
Note You can find the answers in the “Questions and Answers” section at the end of the
lesson. However, you should test your predictions by performing the Practice in Lesson 2.
Lesson Summary
■ The Backup Utility, Ntbackup, allows you to back up and restore data from local
and remote folders.
■ You may back up to local files, tape drives, and removable media or to shared
folders on remote servers. You cannot back up to writable CD or DVD formats.
■ A normal backup is a complete backup of all selected files and folders. It is always
the starting point of any backup strategy.
Lesson 1 Fundamentals of Backup 7-13
■ An incremental backup copies selected files that have changed since the most
recent normal or incremental backup. Both normal and incremental backups clear
the archive attribute.
■ A differential backup copies all selected files that have changed since the last nor-
mal or incremental backup. Differential backups do not clear the archive attribute.
■ Copy backups and daily backups are less frequently used. They back up all
selected files, in the case of Copy backup, or files modified on a specific date, in
the case of Daily backup. They do not reset the archive attribute, so they can be
used to capture data for backup or transfer without interfering with the normal
backup schedule.
7-14 Chapter 7 Backing Up Data
Lesson 2: Restoring Data
In conjunction with the design of a backup strategy, you must create and verify restore
procedures to ensure that appropriate personnel are knowledgeable in the concepts
and skills that are critical to data recovery. This lesson will share the processes and
options available for restoring data using the Backup Utility.
After this lesson, you will be able to
■ Restore data to its original location or to an alternate folder
■ Configure restore options
Estimated lesson time: 10 minutes
Restoring with the Backup Utility
Restoring data is a straightforward procedure. After opening the Backup Utility and
clicking the Restore And Manage Media tab as shown in Figure 7-4, you will be able to
select the backup set from which to restore. Windows Server 2003 will then display the
files and folders that the backup set contains by examining the backup set’s catalog.
You can then select the specific files or folders you wish to restore. As with the backup
selection, a blue check mark indicates that a file or folder will be fully restored. A
dimmed check mark on a folder means that some, but not all, of its contents will be
restored.
f07nw04
Figure 7-4 The Backup Utility’s Restore And Manage Media tab
Lesson 2 Restoring Data 7-15
You are also asked to specify the restore location. For this option, you have three
choices:
■ Original location Files and folders will be restored to the location from which
they were backed up. The original folder structure will be maintained or, if folders
were deleted, re-created.
■ Alternate location Files and folders will be restored to a folder you designate
in the Alternate Location box. The original folder structure is preserved and cre-
ated beneath that folder, where the designated alternate location is equivalent to
the root (volume) of the backed-up data. So, for example, if you backed up a
folder C:DataFinance and you restored the folder to C:Restore, you would find
the Finance folder in C:RestoreDataFinance.
■ Single folder Files are restored to the folder you designate, but the folder struc-
ture is not maintained. All files are restored to a single folder.
After selecting the files to restore and the restore location, click Start Restore. Click OK
and the restore process will begin. Confirm that no errors occurred.
Restore Options
Windows Server 2003 supports several options for how files in the restore location are
handled during a restore. The following options are found in the Backup Utility’s
Tools–Options command, in the Restore tab shown in Figure 7-5:
■ Do Not Replace The File On My Computer. This option, the default, causes
the Restore utility to skip files that are already in the target location. A common
scenario leading to this choice is one in which some, but not all, files have been
deleted from the restore location. This option will restore such missing files with
the backed-up files.
■ Replace The File On Disk Only If The File On Disk Is Older. This option
directs the restore process to overwrite existing files unless those files are more
recent than the files in the backup set. The theory is that if a file in the target loca-
tion is more recent than the backed-up copy, it is possible that the newer file con-
tains information that you do not want to overwrite.
■ Always Replace The File On My Computer. Under this restore option, all files
are overwritten by their backed-up versions, regardless of whether the file is more
recent than the backup. You will lose data in files that were modified since the
backup date. Any files in the target location that are not in the backup set will
remain, however.
After selecting files to restore, restore options, and a restore destination, click Start
Restore, and then confirm the restore. The Start Restore dialog box appears.
7-16 Chapter 7 Backing Up Data
f07nw05
Figure 7-5 Restore tab options
Before confirming the restore, you can configure how the restore operation will treat
security settings on the backed-up files by clicking Advanced in the Confirm Restore
dialog box and selecting the Restore Security option. If data was backed up from, and
is being restored to, an NTFS file system (NTFS) volume, the default setting will restore
permissions, audit settings, and ownership information. Deselecting this option will
restore the data without its security descriptors, and all restored files will inherit the
permissions of the target restore volume or folder.
Practice: Restoring Data
In this practice, you will verify your backup and restore procedures using a common
method: restoring to a test location.
Exercise 1: Verify Backup and Restore Procedures
To verify backup and restore procedures, many administrators will perform a test
restore of a backup set. To avoid damaging production data, that test restore is targeted
not at the original location of the data, but at another folder, which can then be dis-
carded following the test. In a production environment, your verification should
include restoring the backup to a “standby” server, which would entail making sure that
the backup device (that is, the tape drive) is correctly installed on a server that can host
data in the event that the primary server fails. To do this, perform the following steps:
1. Open the Backup Utility.
2. Click Restore And Manage Media.
Lesson 2 Restoring Data 7-17
3. Click the plus sign to expand the file.
4. Click the plus sign to expand Backup-normal.bkf.
5. Click the check box to select C:.
6. Expand C:, Data, and Finance. You will notice that your selection of the C: folder
has selected its child folders and files.
7. In the Restore Files To drop-down box, select Alternate Location.
8. In the Alternate Location field, type C:TestRestore.
9. Click Start Restore.
10. In the Confirm Restore dialog box, click OK.
11. When the restore job is complete, click Report and examine the log of the restore
operation.
12. Open the C:TestRestore folder and verify that the folder structure and files
restored correctly.
13. Repeat steps 1 through 10, this time restoring the file backup-diff-day2.bkf. When
the restore job is finished, continue to step 14 to examine its report.
14. When the restore job finishes, click Report to view the restore job log. If you acci-
dentally close the job status window, choose the Report command from the Tools
menu, select the most recent report, and click View.
15. Examine the report for the job you just restored. How many files were restored?
None.
Why?
The answer lies in the restore options.
16. Choose the Options command from the Tools menu and click the Restore tab.
Now you can identify the problem. The default configuration of the backup utility
is that it does not replace files on the computer. Therefore, the differential job,
which contains files that were updated after the normal backup, was not success-
fully restored.
17. Choose Always Replace The File On My Computer.
18. Repeat the restore operation of backup-diff-day2.bkf. The report should confirm
that two files were restored.
19. You have now verified your backup and restore procedures, including the need to
modify restore options. Delete the C:TestRestore folder.
7-18 Chapter 7 Backing Up Data
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. A user has accidentally deleted the data in a Microsoft Word document and saved
the document, thereby permanently altering the original file. A normal backup
operation was performed on the server the previous evening. Which restore
option should you select?
a. Do Not Replace The File On My Computer
b. Replace The File On Disk Only If The File On Disk Is Older
c. Always Replace The File On My Computer
2. An executive has returned from a business trip. Before the trip, she copied files
from a network folder to her hard drive. The folder is shared with other execu-
tives, who modified their files in the folder while she was away. When she
returned, she moved her copy of the files to the network share, thereby updating
her files with the changes she made while away, but also overwriting all the files
that had been changed by other executives. The other executives are unhappy
that their files have been replaced with the versions that were active when she left
for her trip. Luckily, you performed a normal backup operation on the folder the
previous evening. What restore option should you choose?
a. Do Not Replace The File On My Computer
b. Replace The File On Disk Only If The File On Disk Is Older
c. Always Replace The File On My Computer
3. You would like to test the restore procedures on your server but would also like
to avoid affecting the production copies of the backed-up data. What is the best
restore location to use?
a. Original location
b. Alternate location
c. Single folder
Lesson 2 Restoring Data 7-19
Lesson Summary
■ The Backup Utility will also allow you to restore backed-up data.
■ When restoring a lost file or folder, it is common to select Original Location as the
restore location.
■ When testing restore procedures, it is common to select Alternate Location as the
restore location so that you do not affect the original copies of the backed-up files
and folders.
■ When restoring a differential or incremental backup set after restoring the normal
backup set, you will need to select the restore option Always Replace The File On
My Computer.
■ When restoring a folder in which files have been lost, but some files are intact, you
should select the restore option Do Not Replace The File On My Computer or
Replace The File On Disk Only If The File On Disk Is Older.
7-20 Chapter 7 Backing Up Data
Lesson 3: Advanced Backup and Restore
Now that you have created a backup plan and verified your procedures for backup and
restore, you will want to understand the process in more depth so that you can config-
ure backup operations to be more flexible, more automated, or perhaps even easier.
This lesson will explore the technologies underlying data backup such as VSS and
RSM, and will lay out options for scripting and scheduling backup operations. You will
then leverage the new Shadow Copies Of Shared Folders feature to enable users to
recover from simple data-loss scenarios without administrative intervention.
After this lesson, you will be able to
■ Configure group membership to enable a user to perform backup and restore operations
■ Manage tape backup media
■ Catalog backup sets
■ Configure backup options
■ Execute a backup from the command prompt
■ Schedule backup jobs
■ Configure and use Shadow Copies Of Shared Folders
Estimated lesson time: 30 minutes
Understanding VSS
Windows Server 2003 offers VSS, also referred to as “snap backup.” VSS allows the
backing up of databases and other files that are held open or locked due to operator
or system activity. Shadow copy backups allow applications to continue to write data
to a volume during backup, and allow administrators to perform backups at any time
without locking out users or risking skipped files.
Although VSS is an important enhancement to the backup functionality of Windows
Server 2003, it is nevertheless best practice to perform backups when usage is low. If
you have applications that manage storage consistency differently while files are open,
that can affect the consistency of the files in the backup of those open files. For critical
applications, or for applications such as Microsoft SQL Server that offer native backup
capabilities, consult the documentation for the application to determine the recom-
mended backup procedure.
Lesson 3 Advanced Backup and Restore 7-21
Backup Security
You must have the Backup Files And Directories user right, or NTFS Read permission,
to back up a file. Similarly, you must have the Restore Files And Directories user right,
or NTFS Write permission to the target destination, to restore a file. Privileges are
assigned to both the Administrators and Backup Operators groups, so it is possible to
enable a user, a group, or a service account to back up and restore by nesting the
account in the Backup Operators group on the server.
Tip In the real world, do not nest accounts in the Backup Operators group without consider-
ing the security implications. Members of the Backup Operators group can connect to hidden
administrative drive shares—C$, for example—and have the ability to transfer ownership of
files. It is recommended that you grant the user rights to back up files and folders and to
restore files and folders to security groups you have created in Active Directory directory ser-
vice, rather than to this built-in group.
Users with the Restore Files And Directories user right can remove NTFS permissions
from files during restore. In Windows Server 2003, they can additionally transfer own-
ership of files between users.
Therefore, it is important to control the membership of the Backup Operators group
and to physically secure backup tapes. A “loose” backup tape makes it easy for any
intelligent individual to restore and access sensitive data.
Managing Media
The Backup Utility of Windows Server 2003 works closely with the RSM service. RSM,
which is designed to manage robotic tape libraries and CD-ROM libraries, accepts
requests for media from other services or, in this case, applications, and ensures that
the media is correctly mounted or loaded.
RSM is also used with single-media devices such as a manually loaded backup tape
drive, CD-ROM, or Iomega Jaz drive. In the case of single-media drives, RSM keeps
track of media through their labels or serial numbers. The impact of RSM is that, even
in a single-media drive backup system, each tape must have a unique label.
Media Pools
The Backup Utility of Windows Server 2003 manages tapes with RSM using media
pools, as seen in Figure 7-6.
7-22 Chapter 7 Backing Up Data
f07nw06
Figure 7-6 Media pools
There are four media pools related to backup:
■ Unrecognized Tape media that are completely blank or in a foreign format are
contained in the Unrecognized pool until they are formatted.
■ Free This pool contains newly formatted tape media, as well as tapes that have
been specifically marked as free by an administrator. Free media can be moved
into the backup media pool by writing a backup set to them.
■ Backup This pool contains media that have been written to by the Backup Util-
ity. The Backup Utility will write only to media in the Free media pool (and it will
label the tape with the name you enter just before starting the backup) and to
media, specified by name, in the Backup media pool.
■ Import This pool contains tape media that are not cataloged on the local disk
drive. Cataloging such a tape will move the tape into the backup media pool.
Managing Tapes and Media Pools
In conjunction with backup procedures and tape rotation, you will need to manage
your tapes in and out of these media pools. To that end, the following actions are avail-
able from the Restore And Manage Media page of the Backup Utility:
■ Format a tape Right-click a tape and choose Format. Formatting is not a secure
way to erase tapes. If you need to erase tapes for legal or security reasons, use an
appropriate third-party utility. Formatting does, however, prepare a tape and
move it into the free media pool. Not all drives support formatting.
■ Retension a tape Right-click a tape and choose Retension. Not all drives sup-
port retensioning.
■ Mark a tape as free Right-click a tape and choose Mark As Free. This moves the
tape into the free media pool. It does not erase the tape. If you need to erase tapes
for legal reasons, use an appropriate third-party utility.
Lesson 3 Advanced Backup and Restore 7-23
Catalogs
When the Backup Utility creates a backup set, it also creates a catalog listing files and
folders included in the backup set. That catalog is stored on the disk of the server (the
local or on-disk catalog) and in the backup set itself (the on-media catalog). The local
catalog facilitates quick location of files and folders to restore. The Backup Utility can
display the catalog immediately rather than load the catalog from the typically slower
backup media. The on-media catalog is critical if the drive containing the local catalog
has failed or if you transfer the files to another system. In those cases, Windows can re-
create the local catalog from the on-media catalog.
The Restore And Manage Media page of the Backup Utility allows you to manage cat-
alogs, as follows:
■ Delete Catalog Right-click a backup set and choose Delete Catalog if you have
lost or damaged the backup media or if you are transferring files to another system
and no longer require its local catalog. The on-media catalog is not affected by this
command.
■ Catalog A tape from a foreign system that is not cataloged on the local machine
will appear in the import media pool. Right-click the media and choose the Cata-
log command. Windows will generate a local catalog from the tape or file. This
does not create or modify the on-media catalog.
Tip If you have all the tapes in the backup set and the tapes are not damaged or corrupted,
open the Backup Options dialog box and, on the General tab, select Use The Catalogs On The
Media To Speed Up Building Restore Catalogs On Disk. If you are missing a tape in the
backup set or a tape is damaged or corrupted, clear that option. This will ensure that the cat-
alog is complete and accurate; however, it might take a long time to create the catalog.
Backup Options
Backup options are configured by choosing the Options command from the Tools
menu. Many of these options configure defaults that are used by the Backup Utility and
the command-line backup tool, Ntbackup. Those settings can be overridden by options
of a specific job.
General Options
The General tab of the Options dialog box includes the following settings:
■ Compute Selection Information Before Backup And Restore Oper-
ations Backup estimates the number of files and bytes that will be backed up or
restored before beginning the operation.
7-24 Chapter 7 Backing Up Data
■ Use The Catalogs On The Media To Speed Up Building Restore Catalogs On
Disk If a system does not have an on-disk catalog for a tape, this option allows
the system to create an on-disk catalog from the on-media catalog. However, if the
tape with the on-media catalog is missing or if media in the set is damaged, you
can deselect this option and the system will scan the entire backup set (or as much
of it as you have) to build the on-disk catalog. Such an operation can take several
hours if the backup set is large.
■ Verify Data After The Backup Completes The system compares the contents
of the backup media to the original files and logs any discrepancies. This option
obviously adds a significant amount of time for completing the backup job. Discrep-
ancies are likely if data changes frequently during backup or verification, and it is
not recommended to verify system backups because of the number of changes
that happen to system files on a continual basis. As long as you rotate tapes and
discard tapes before they are worn, it should not be necessary to verify data.
■ Backup The Contents Of Mounted Drives A mounted drive is a drive volume
that is mapped to a folder on another volume’s namespace, rather than, or in addi-
tion to, having a drive letter. If this option is deselected, only the path of the folder
that is mounted to a volume is backed up; the contents are not. By selecting this
option, the content of the mounted volume is also backed up. There is no disad-
vantage in backing up a mount point; however if you back up the mount point
and the mounted drive as well, your backup set will have duplication.
If you primarily back up to file and then save that file to another media, clear the fol-
lowing options. If you primarily back up to a tape or another media managed by
Removable Storage, select the following options.
■ Show Alert Message When I Start the Backup Utility And Removable Storage Is Not
Running.
■ Show Alert Message When I Start The Backup Utility And There Is Recognizable
Media Available.
■ Show Alert Message When New Media Is Inserted.
■ Always Allow Use Of Recognizable Media Without Prompting.
Tip The Always Allow Use Of Recognizable Media Without Prompting option can be selected
if you are using local tape drives for backup only, not for Remote Storage or other functions.
The option eliminates the need to allocate free media using the Removable Storage node in
the Computer Management console.
Lesson 3 Advanced Backup and Restore 7-25
Backup Logging
The Options dialog has a tab called Backup Log. Logging alerts you to problems that
might threaten the viability of your backup, so consider your logging strategy as well
as your overall backup plan. Although detailed logging will list every file and path that
was backed up, the log is so verbose that you are likely to overlook problems. There-
fore, summary logging is recommended and is the default. Summary logs report
skipped files and errors.
The system will save 10 backup logs to the path %UserProfile%Local Settings Appli-
cation DataMicrosoftWindows NTNtbackupData. There is no way to change the
path or the number of logs that are saved before the oldest log is replaced. You can, of
course, include that path in your backup and thereby back up old logs.
File Exclusions
The Exclude Files tab of the Options dialog box also allows you to specify extensions
and individual files that should be skipped during backup. Default settings result in the
Backup Utility’s skipping the page file, temporary files, client-side cache, debug folder,
and the File Replication Service (FRS) database and folders, as well as other local logs
and databases.
Files can be excluded based on ownership of the files. Click Add New under Files
Excluded For All Users to exclude files owned by any user. Click Add New under Files
Excluded For User <username> if you want to exclude only files that you own. You
can specify files based on Registered File Type or based on an extension using the Cus-
tom File Mask. Finally, you can restrict excluded files to a specific folder or hard drive
using the Applies To Path and the Applies To All Subfolders options.
Advanced Backup Options
After selecting files to back up, and clicking Start Backup, you can configure additional,
job-specific options by clicking Advanced. Among the more important settings are the
following:
■ Verify Data After Backup This setting overrides the default setting in the
Backup Options dialog box.
■ If Possible, Compress The Backup Data To Save Space This setting com-
presses data to save space on the backup media, an option not available unless
the tape drive supports compression.
■ Disable Volume Shadow Copy VSS allows the backup of locked and open
files. If this option is selected, some files that are open or in use might be skipped.
7-26 Chapter 7 Backing Up Data
The Ntbackup Command
The Ntbackup command provides the opportunity to script backup jobs on Windows
Server 2003. Its syntax is
Ntbackup backup {"path to backup" or "@selectionfile.bks"} /j "Job Name" options
The command’s first switch is backup, which sets its mode—you cannot restore from
the command line. That switch is followed by a parameter that specifies what to back
up. You can specify the actual path to the local folder, network share, or file that you
want to back up. Alternatively, you can indicate the path to a backup selection file
(.bks file) to be used with the syntax @selectionfile.bks. The at (@) symbol must precede
the name of the backup selection file. A backup selection file contains information on
the files and folders you have selected for backup. You have to create the file using the
graphical user interface (GUI) version of the Backup Utility.
The third switch, /J “JobName”, specifies the descriptive job name, which is used in the
backup report.
You can then select from a staggering list of switches, which are grouped below based
on the type of backup job you want to perform.
Backing Up to a File
Use the switch
/F “FileName”
where FileName is the logical disk path and file name. You must not use the following
switches with this switch: /T /P /G.
The following example backs up the remote Data share on Server01 to a local file on
the E drive:
ntbackup backup "server01Data" /J "Backup of Server 01 Data folder" /F
"E:Backup.bkf"
Appending to a File or Tape
Use the switch:
/A
to perform an append operation. If appending to a tape rather than to a file, you must
use either /G or /T in conjunction with this switch. It cannot be used with /N or /P.
The following example backs up the remote Profiles share on Server02 and appends
the set to the job created in the first example:
Lesson 3 Advanced Backup and Restore 7-27
ntbackup backup "server02Profiles" /J "Backup of Server 02 Profiles folder" /F
"E:Backup.bkf" /A
Backing Up to a New Tape or File or Overwriting an Existing Tape
Use the switch:
/N “MediaName”
where MediaName specifies the new tape name. You must not use /A with this switch.
Backing Up to a New Tape
Use the switch
/P “PoolName”
where PoolName specifies the media pool that contains the backup media. This is usu-
ally a subpool of the backup media pool, such as 4mm DDS. You cannot use the /A,
/G, /F, or /T options if you are using /P.
The following example backs up files and folders listed in the backup selection file
c:backup.bks to a tape drive:
ntbackup backup @c:backup.bks /j "Backup Job 101" /n "Command Line Backup Job" /p
"4mm DDS"
Backing Up to an Existing Tape
To specify a tape for an append or overwrite operation, you must use either the /T or
/G switch along with either /A (append) or /N (overwrite). Do not use the /P switch
with either /T or /G.
To specify a tape by name, use the /T switch with the following syntax:
/T “TapeName”
where TapeName specifies a valid tape in the media pool.
To back up the selection file and append it to the tape created in the previous example,
you would use this command line:
ntbackup backup @c:backup.bks /j "Backup Job 102" /a /t "Command Line Backup Job"
To specify a tape by its GUID, rather than by its name, use the /G switch with the fol-
lowing syntax:
/G “GUIDName”
where GUIDName specifies a valid tape in the media pool.
7-28 Chapter 7 Backing Up Data
Job Options
For each of the job types described above, you can specify additional job options using
these switches:
■ /M {BackupType} Specifies the backup type, which must be one of the follow-
ing: normal, copy, differential, incremental, or daily.
■ /D {“SetDescription”} Specifies a label for the backup set.
■ /V:{yes | no} Verifies the data after the backup is complete.
■ /R:{yes | no} Restricts access to this tape to the owner or members of the
Administrators group.
■ /L:{f | s | n} Specifies the type of log file: f=full, s=summary, n=none (no log file
is created).
■ /RS:{yes | no} Backs up the migrated data files located in Remote Storage.
Tip The /RS command-line option is not required to back up the local Remov-
able Storage database, which contains the Remote Storage placeholder files.
When you back up the %Systemroot% folder, Backup automatically backs up the
Removable Storage database as well.
■ /HC:{on | off} Uses hardware compression, if available, on the tape drive.
■ /SNAP:{on | off} Specifies whether the backup should use a Volume Shadow
Copy.
Scheduling Backup Jobs
To schedule a backup job, create the job in the Backup Utility, then click Start Backup
and configure advanced backup options. After all options have been configured, click
Schedule and, in the Set Account Information dialog box, type the user name and pass-
word of the account to be used by the backup job.
Security Alert Security best practices suggest that you create an account for each service
rather than run services under the System account. Do not configure a service to run using a
User account, such as your User account or the Administrator account. When the password
changes on a User account you must modify the password setting on all services that run
under the context of that account. The account for the backup job should belong to the
Backup Operators group.
Lesson 3 Advanced Backup and Restore 7-29
In the Scheduled Job Options dialog box, enter a job name and click Properties. The
Schedule Job dialog box appears, as shown in Figure 7-7. Configure the job date, time,
and frequency. The Advanced button will let you configure additional schedule set-
tings, including a date range for the job. The Settings tab of the Schedule Job dialog
box allows you to refine the job, for example, by specifying that the job should take
place only if the machine has been idle for a period of time.
f07nw07
Figure 7-7 The Schedule Job dialog box
Once a job has been scheduled, you can edit the schedule by clicking the Schedule
Jobs tab of the Backup Utility. Jobs are listed on a calendar. Click a job to open its
schedule. Although you can also add a backup job by clicking Add Job in the Schedule
Jobs tab, clicking Add Job will launch the backup wizard so that you can select the files
to back up and some of the properties of the backup job. Most administrators find it
more convenient to create a backup job in the Backup tab directly, then click Start
Backup and Schedule, as described above.
Shadow Copies of Shared Folders
Windows Server 2003 supports another way for administrators and users alike to
recover quickly from damage to files and folders. Using VSS, Windows Server 2003
automatically caches copies of files as they are modified. If a user deletes, overwrites,
or makes unwanted changes to a file, you can simply restore a previous version of the
file. This is a valuable feature, but is not intended to replace backups. Instead, it is
designed to facilitate quick recovery from simple, day-to-day problems—not recovery
from significant data loss.
7-30 Chapter 7 Backing Up Data
Enabling and Configuring Shadow Copies
The Shadow Copies feature for shared folders is not enabled by default. To enable the
feature, open the Properties dialog box of a drive volume from Windows Explorer or
the Disk Management snap-in. In the Shadow Copies tab, as shown in Figure 7-8,
select the volume and click Enable. Once enabled, all shared folders on the volume
will be shadowed; specific shares on a volume cannot be selected. You can, however,
manually initiate a shadow copy by clicking Create Now.
f07nw08
Figure 7-8 The Shadow Copies tab of a volume’s Properties dialog box
Caution If you click Disable, you delete all copies that were created by VSS. Consider care-
fully whether you want to disable VSS for a volume or whether you might be better served by
modifying the schedule to prevent new shadow copies from being made.
The default settings configure the server to make copies of shared folders at 7:00 A.M.
and noon, Monday through Friday; and 10 percent of the drive space, on the same
drive as the shared folder, is used to cache shadow copies.
Each of the following settings can be modified by clicking Settings in the Shadow
Copies tab:
■ Storage volume To enhance performance (not redundancy), you can move the
shadow storage to another volume. This must be done when no shadow copies
are present. If shadow copies exist, and you want to change the storage volume,
you must delete all shadow copies on the volume, then change the storage volume.
■ Details The dialog box lists shadow copies that are stored and space utilization
statistics.
Lesson 3 Advanced Backup and Restore 7-31
■ Storage limits This can be as low as 100 MB. When the shadow copy runs out
of storage, it deletes older versions of files to make room for newer versions. The
proper configuration of this setting depends on the total size of shared folders on
a volume with shadowing enabled; the frequency with which files change, and the
size of those files; and the number of previous versions you wish to retain. In any
event, a maximum of 63 previous versions will be stored for any one file before
the earliest version is removed from the shadow storage.
■ Schedule You can configure a schedule that reflects the work patterns of your
users, ensuring that enough previous versions are available without prematurely
filling the storage area and thereby forcing the removal of old versions. Remember
that when a shadow copy is made, any files that have changed since the previous
shadow copy are copied. If a file has been updated several times between shadow
copies, those interim versions will not be available.
Using Shadow Copy
Shadow copies of shared folders allow you to access previous versions of files that the
server has cached on the configured schedule. This will allow you to
■ Recover files that were accidentally deleted.
■ Recover from accidentally overwriting a file.
■ Compare versions of files while working.
To access previous versions, click the properties of a folder or file and click the Previ-
ous Versions tab, as shown in Figure 7-9.
f07nw09
Figure 7-9 The Previous Versions tab of a shared resource
7-32 Chapter 7 Backing Up Data
The Previous Versions page will not be available if Shadow Copies is not enabled on
the server, or if there are no previous versions stored on the server. It will also be
unavailable if the shadow copy client has not been installed on your system. This file
is located in the %Systemroot%System32ClientsTwclientx86 folder of a Windows
Server 2003 system. The Windows Installer (.msi) file can be deployed using Group
Policy, Systems Management Server (SMS), or an e-mail message. Finally, the Previous
Versions page is available only when accessing a file’s properties through a shared folder.
If the file is stored on the local hard drive, you will not see the Previous Versions tab,
even if the file is shared and VSS is enabled. See this lesson’s Practice for an example.
You can then choose to Restore the file to its previous location or Copy the file to a
specific location.
Security Alert Unlike a true restore operation, when you restore a file with Previous Ver-
sions, the security settings of the previous version are not restored. If you restore the file to
its original location, and the file exists in the original location, the restored previous version
overwrites the current version and uses the permissions assigned to the current version. If
you copy a previous version to another location, or restore the file to its original location but
the file no longer exists in the original location, the restored previous version inherits permis-
sions from the parent folder.
If a file has been deleted, you obviously cannot go to the file’s Properties dialog box
to locate the Previous Versions page. Instead, open the Properties of the parent folder,
click the Previous Versions tab, and locate a previous version of the folder that contains
the file you want to recover. Click View and a folder window will open, as shown in
Figure 7-10, that displays the contents of the folder as of the time at which the shadow
copy was made. Right-click the file and choose Copy, then paste it into the folder
where you want the file to be re-created.
f07nw10
Figure 7-10 A folder’s Previous Versions content list
Lesson 3 Advanced Backup and Restore 7-33
Shadow copy, as you can see, is a useful addition to the toolset for managing file serv-
ers and shared data. With VSS, you can preserve data sets at scheduled points in time.
Administrators or users can then restore deleted or corrupted files, or compare files to
previous versions. As the VSS cache fills, old versions are purged and new shadow
copies are added.
If a user requires data to be restored and that data is no longer available through Pre-
vious Versions, you can restore the data from backup. If the server becomes corrupted,
you must restore the data from backup. Although VSS enhances the manageability and
resiliency of shared files, there is no substitute for a carefully planned and verified
backup procedure.
Practice: Advanced Backup and Restore
In this practice, you will schedule a backup job, execute a backup from a command
prompt, and configure and use Shadow Copies of Shared Folders.
Exercise 1: Schedule a Backup Job
1. Open the Backup Utility and click the Backup tab.
2. From the Job menu, load the Finance Backup selections.
3. Configure the Backup Media Or File Name: C:Backup-Everyday.bkf.
4. Click Start Backup.
5. Click Advanced and configure an Incremental backup type. Click OK.
6. Click Schedule.
7. In the Set Account Information dialog box, type your password and click OK.
8. Name the job Daily Incremental Backup.
9. Click Properties. Configure the job to run daily. Configure the time to be two min-
utes from the current time so that you can see the results of the job.
10. Complete configuration of the scheduled job. You will be prompted to enter your
password again.
11. Close the Backup Utility.
12. Open the C drive in Windows Explorer and wait two minutes. You will see the
backup job appear.
13. Open the Backup Utility, choose the Report command from the Tools menu, and
view the most recent backup log to confirm the status of the backup job. The num-
ber of files copied might be zero if you have not made changes to any of the files.
14. If the job did not run properly, open Event Viewer from the Administrative Tools
folder. Examine the Application Log to identify the cause of the failure.
7-34 Chapter 7 Backing Up Data
Exercise 2: Run a Backup from a Command Prompt
One of the easier ways to determine the correct switches to use for a command prompt
backup is to schedule a backup, as you did in Exercise 1, and then examine the com-
mand that the scheduled task creates.
1. Open the Backup Utility and click the Schedule Jobs tab.
2. Click the icon, in the calendar, representing the scheduled job.
3. Click Properties.
4. Select the command in the Run box and press CTRL+C to copy it.
5. Cancel to exit the Schedule Jobs dialog box and close the Backup Utility.
6. Open the command prompt.
7. Click the window menu (the icon of the command prompt in the upper-left corner
of the command prompt window) and, from the Edit menu, choose Paste. The
Ntbackup command with all of its switches is pasted into the command prompt.
Press ENTER. The backup job is executed.
Note It is recommended that you delete the scheduled backup job at this point in the Prac-
tice. You will schedule additional jobs in the Case Scenario, and it will be easier to work with
those jobs if the current schedule is clear. In the Backup Utility, click the Schedule Jobs tab;
then, in the calendar, click the icon representing the scheduled job. Click Delete.
Exercise 3: Enable Shadow Copies
1. Ensure that the C:Data folder is shared and that the share permissions are config-
ured to allow Everyone Full Control.
2. Open My Computer.
3. Right-click the C drive and choose Properties.
4. Click the Shadow Copies tab.
5. Select the C volume and click Enable.
6. A message will appear. Click Yes to continue.
Exercise 4: Simulate Changes to Network Files
1. Open the C:DataFinance folder and open Current.txt. Modify the file’s contents;
then save and close the file.
2. Delete the file C:DataFinanceProjections.txt.
Lesson 3 Advanced Backup and Restore 7-35
Exercise 5: Recover Files Using Previous Versions
1. Open the data share by clicking Start, choosing Run, and then typing
server01data.
Note It is critical that you open the folder using its UNC, not its local path. The Previous
Versions tab is available only when connected to a shared folder over the network.
2. Open the Finance folder.
3. Right-click the Current.txt file and choose Properties.
4. Click the Previous Versions tab.
5. Select the previous version of Current.txt.
6. Click Copy, select the Desktop as the destination, and then click Copy again.
7. Click OK to close the Properties dialog box.
8. Open Current.txt from your desktop. You will see that it is the version without the
changes you made in Exercise 4.
9. Return to Server01Data. This time, do not open the Finance folder.
10. To recover the deleted Projections.txt file, right-click the Finance folder and click
Properties.
11. Click the Previous Versions tab.
12. Select the previous version of the Finance folder and click View.
A window opens showing the contents of the folder as of the time that the shadow
copy was made.
13. Right-click the Projections.txt file and choose Copy.
14. Switch to the folder that shows you the current server01data folder.
15. Open the Finance folder.
16. Paste the Projections.txt file into the folder. You have now restored the previous
version of Projections.txt.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. Scott Bishop is a power user at a remote site that includes 20 users. The site has a
Windows Server 2003 system providing file and print servers. There is a tape drive
7-36 Chapter 7 Backing Up Data
installed on the system. Because there is no local, full-time administrator at the
site, you want to allow Scott to back up and restore the server. However, you want to
minimize the power and the privileges that Scott obtains, limiting his capabilities
strictly to backup and restore. What is the best practice to provide Scott the mini-
mum necessary credentials to achieve his task?
2. Write the command that will allow you to fully back up the C:DataFinance
folder to a file called Backup.bkf in a share called Backup on Server02, with the
backup job name “Backup of Finance Folder.” Then, write the command that will
allow you to perform an incremental backup and append the backup set to the
same file, with the same backup job name.
3. A user has deleted a file in a shared folder on a server. The user opens the prop-
erties of the folder and does not see a Previous Versions tab. Which of the follow-
ing may be true? (Choose all that apply.)
a. The folder is not enabled for Shadow Copy.
b. The volume on the server is not enabled for Shadow Copy.
c. The user doesn’t have permission to view the Shadow Copy cache.
d. The Shadow Copy client is not installed on the user’s machine.
e. The folder is on a FAT volume.
Lesson Summary
■ You must have the right to back up and restore files to use the Backup Utility or
any other backup tool. The right is assigned, by default, to the Backup Operators
and Administrators groups.
■ The Options dialog box allows you to configure General, Backup, and Restore set-
tings, many of which become defaults that will drive the behavior of the Backup
Utility and the Ntbackup command unless overridden by job-specific options
specified in the backup job’s Advanced Backup Options dialog box or in com-
mand-line switches.
■ The Ntbackup command and its full complement of switches allows you to launch
a backup job from a command prompt or batch file.
■ Backup jobs can be scheduled to run regularly and automatically during periods
of low usage.
Chapter 7 Backing Up Data 7-37
■ Volume Shadow Copy Service (VSS) allows a user to access previous versions of
files and folders in network shares. With those previous versions, users can restore
deleted or damaged files or compare versions of files.
Case Scenario Exercise
You are asked to configure a backup strategy for the Finance Department’s shared
folder. The backup should occur automatically during the early morning hours, as
there are users working shifts from 4:00 A.M. to 12:00 midnight, Monday through Fri-
day. Files in the folder change frequently—about half the files change once a week; the
other half of the files change almost daily. You are told that if the server’s hard drive
ever fails, down time is extraordinarily costly to the company, so recovery should be as
fast as possible.
1. With the knowledge that so many files change almost daily, and that recovery
must be as quick as possible, what type of backup job should you consider run-
ning nightly?
2. You configure a normal daily backup job to run at 12:00 midnight, after the last
shift has gone home for the evening. Unfortunately, you find that the backup job
is not completed by 4:00 A.M. when the morning shift arrives. How should you
modify your backup strategy?
Exercise 1: Create Sample Data
1. Open My Computer and the C drive.
2. Delete the Data folder. You will be prompted to confirm the choice. You will also
be informed that the folder is shared, and that deleting the folder will delete the
shared folder. Confirm your understanding of the warning and continue.
3. Open the command prompt and type cd c:.
4. Type the command createfiles.bat.
Note If you did not create the createfiles.bat file in Lesson 1, Exercise 1, complete steps 1
through 3 of Exercise 1 to create the appropriate script.
7-38 Chapter 7 Backing Up Data
Exercise 2: Schedule the Backup Job
Configure and schedule the following backup jobs. If you need guidance to achieve
these tasks, refer to the instructions in the Practices in Lesson 1 and Lesson 3.
■ Normal backup job to back up the C:DataFinance folder to a file called
C:BackupFinance.bkf (replacing the media), every Sunday at 9:00 P.M.
■ Differential backup job to back up the same folder to the same file (appending to
the media), at 12:15 A.M. on Tuesday through Saturday (that is, Monday night
through Friday night).
Exercise 3: Simulate the Scheduled Jobs
Rather than waiting until Sunday night for the normal backup job to execute automat-
ically, you will execute the backup job from the command prompt.
1. Open the Backup Utility.
2. Click the Schedule Jobs tab.
3. Click the icon in the calendar representing the Sunday night normal backup job.
4. Click Properties.
5. Select the command in the Run box and press CTRL+C to copy it.
6. Cancel to exit the Schedule dialog box and close the Backup Utility.
7. Open the command prompt.
8. Click the window menu (the icon of the command prompt in the upper-left corner
of the command prompt window) and, from the Edit menu, choose Paste. The
Ntbackup command with all its switches is pasted into the command prompt.
Press ENTER. The backup job is executed.
9. Open C:DataFinanceProjections.txt and make changes to the file. Save and
close the file.
10. Repeat steps 1– 8, this time executing from the command prompt the differential
backup job that is scheduled to run every night.
Exercise 4: Verify the Procedure
1. Open the Backup Utility.
2. From the Tools menu, click Report.
3. Open the two most recent backup reports and confirm that the jobs completed
successfully. The normal job should have backed up four files. The differential job
should have backed up one file.
4. Perform a test restore to a folder called C:TestRestore. Restore the normal job and
then the differential job. If you need guidance, refer to the Practice in Lesson 2.
Chapter 7 Backing Up Data 7-39
Caution Remember, before restoring the differential job, that you must configure the
Restore options (from the Tools menu, select Options) to always replace files. You might also
need to catalog the file to see all the backup sets it contains.
Troubleshooting Lab
At 1:00 P.M. on Tuesday, a user in the Finance Department contacts you to let you
know that he accidentally deleted some files from the Finance folder. You are confident
that the backup procedure you established will help you recover the deleted files.
However, you also want to ensure that you don’t roll back any files that had been
changed today, after the overnight backup job was executed.
In this lab, you will simulate the workflow that creates such a scenario, and then you
will recover the missing data.
Exercise 1: Create a Data Loss
1. Open the C:DataFinance folder.
2. Open the file Current.txt. Make some changes to the file. Save and close the file.
3. Open the Budget file. Make some changes, save, and close the file.
4. Delete the Historical.txt and Projections.txt files.
Exercise 2: Plan the Recovery
Review the backup strategy you developed in the Case Scenario Exercise: a normal
backup every Sunday night and a differential backup every weeknight.
1. How will you recover the missing data?
2. How will you prevent those newer files from being overwritten by files in the
backup set?
Exercise 3: Recover the Data
1. Open the Backup Utility.
2. Choose the Options command from the Tools menu.
7-40 Chapter 7 Backing Up Data
3. Click the Restore tab.
4. Configure restore to leave newer files untouched by selecting Replace The File On
Disk Only If The File On Disk Is Older; then close the Options dialog box.
5. Select the backup media that contains your normal and differential backup.
6. Restore the normal backup to its original location.
7. Restore the differential backup to its original location.
8. Open the Current and Budget files. Because these files were newer than those on
the backup set, and because of the restore options you configured, they should
include the changes you made in the Case Scenario exercise.
Chapter Summary
■ You must have the right to back up and restore files to use the Backup Utility or
any other backup tool. The right is assigned, by default, to the Backup Operators
and Administrators groups.
■ The Backup Utility, Ntbackup, allows you to back up and restore data from local
and remote folders to local files, tape drives, removable media, or shared folders
on remote servers. You cannot back up to writable CD or DVD formats.
■ A backup strategy typically begins with a normal backup followed by regular
incremental or differential backups. Incremental jobs create the backup more
quickly; differential backups are faster to restore. Jobs can be scheduled to occur
during periods of low use.
■ Copy backups and daily backups can be used to capture files without interfering
with the regular backup schedule.
■ The Backup Utility will also allow you to restore backed up data to the original
location or to an alternate location. The latter is useful to test and verify restore
procedures. You can control which files are replaced during a restore through the
Options dialog box Restore tab.
■ The Ntbackup command and its full complement of switches allows you to launch
a backup job from a command prompt or batch file.
■ Volume Shadow Copy Service (VSS) allows a user to access previous versions of
files and folders in network shares. With those previous versions, users can restore
deleted or damaged files or compare versions of files.
Chapter 7 Backing Up Data 7-41
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice and review the “Further Readings” sections in Part 2 for pointers to more informa-
tion about topics covered by the exam objectives.
Key Points
■ Identify the group memberships or rights required to perform a backup or restore
operation.
■ Create a backup strategy based on requirements including the amount of time it
takes to back up data and the speed with which restores must be performed.
■ Understand how to restore data under a variety of conditions, including complete
and partial data loss. Compare the data loss to the backup schedule to identify the
backup sets that must be restored. Integrate your knowledge of the order in which
backup sets should be restored and how existing files on the hard drive should be
replaced.
■ Schedule a backup job and configure backup options.
■ Enable shadow copies of shared folders and recover data using the Previous Ver-
sions tab of a file or folder’s Properties dialog box.
Key Terms
copy, daily, differential, incremental, and normal backup These five backup
types select files to back up using specific criteria. Copy and normal back up all
files; daily backs up files that have been modified on a specified date; differential
and incremental back up files with their archive attribute set. Normal and incre−
mental backups also reset the archive attribute.
archive attribute An attribute that is set when a file is created or modified. Incre-
mental and differential backups will back up files with their Archive attribute set.
Incremental backups also clear the Archive attribute.
Volume Shadow Copy Service (VSS) A feature of Windows Server 2003 that allows
you to back up files that are locked or open.
media pools: unrecognized, import, free, backup The four categories of remov-
able media. Ntbackup will back up to media in the free and backup media pools
only.
shadow copies of shared folders A feature of Windows Server 2003 that, once
configured on the server and on clients, allows users to retrieve previous versions
of files without administrator intervention.
7-42 Chapter 7 Backing Up Data
Questions and Answers
Page Lesson 1 Review
7-11
1. Which of the following locations are not allowed to be used for a backup of a
Windows Server 2003 system?
a. Local tape drive
b. Local CD-RW
c. Local hard drive
d. Shared folder on a remote server
e. Local DVD+R
f. Local removable drive
g. Tape drive on a remote server
The correct answers are b, e, and g.
2. You are to back up a Microsoft Windows Server 2003 file server every evening. You
perform a manual, normal backup. You will then schedule a backup job to run
every evening for the next two weeks. Which backup type will complete the fastest?
a. Normal
b. Differential
c. Incremental
d. Copy
The correct answer is c.
3. You are to back up a Windows Server 2003 file server every evening. You perform
a manual, normal backup. You will then schedule a backup job to run every
evening for the next two weeks. Which backup type will provide the simplest
recovery of lost data?
a. Normal
b. Differential
c. Incremental
d. Daily
The correct answer is a.
Questions and Answers 7-43
4. You are to back up a Windows Server 2003 file server every evening. You perform
a normal backup. On the second evening, you consider whether to use incremen-
tal or differential backup. Will there be any difference in the speed or size of those
two backup jobs? If the server were to fail the following day, would there be any
difference in the efficiency of recovery?
On the second evening, you could use either backup type. The normal backup cleared the
archive attribute. Both incremental and differential backups will, on the second evening, trans-
fer all files created or changed on the second day. There will be no difference in the contents
of the two jobs. Therefore, there will be no difference in recovery on the third day: you would
have to restore the normal backup and then the backup from the second evening.
However, incremental and differential backups treat the archive attribute on backed up files dif-
ferently: incremental turns off the attribute; differential leaves it on. So on the next backup,
there starts to be a difference. A second incremental backup will transfer only files created or
changed since the first incremental backup. However, a second differential backup will include
all files created or changed since the normal backup; that is, it will include all files already cop-
ied by the first differential backup.
5. Review the steps taken during the Practice. Predict the contents of the following
backup jobs:
❑ backup-normal.bkf
❑ backup-diff-day1.bkf
❑ backup-diff-day2.bkf
❑ backup-inc-day2.bkf
❑ backup-inc-day3.bkf
Are there any differences between the contents of backup-diff-day2 and backup-
inc-day2?
■ backup-normal.bkf: Historical, Current, Budget, and Projections
■ backup-diff-day1.bkf: Current
■ backup-diff-day2.bkf: Current and Budget
■ backup-inc-day2.bkf: Current and Budget
■ backup-inc-day3.bkf: Projections
There are no differences between backup-diff-day2 and backup-inc-day2. Both backup types will
back up data that has the archive attribute set. Because a normal backup was performed on
the first day, all files that have changed since the first day will have the archive attribute set.
Page Lesson 2 Review
7-18
1. A user has accidentally deleted the data in a Microsoft Word document and saved
the document, thereby permanently altering the original file. A normal backup
operation was performed on the server the previous evening. Which restore
option should you select?
7-44 Chapter 7 Backing Up Data
a. Do Not Replace The File On My Computer
b. Replace The File On Disk Only If The File On Disk Is Older
c. Always Replace The File On My Computer
The correct answer is c. The file does exist on the server, but the file has been corrupted. You
should replace the file with the copy in the backup set.
2. An executive has returned from a business trip. Before the trip, she copied files
from a network folder to her hard drive. The folder is shared with other execu-
tives, who modified their files in the folder while she was away. When she
returned, she moved her copy of the files to the network share, thereby updating
her files with the changes she made while away, but also overwriting all the files
that had been changed by other executives. The other executives are unhappy
that their files have been replaced with the versions that were active when she left
for her trip. Luckily, you performed a normal backup operation on the folder the
previous evening. What restore option should you choose?
a. Do Not Replace The File On My Computer
b. Replace The File On Disk Only If The File On Disk Is Older
c. Always Replace The File On My Computer
The correct answer is b. This option will not overwrite files that were changed by the executive
while she was away. Those files will have a date more recent than the backup. It will, however,
restore the other executives’ files over the older versions she uploaded to the network.
Tip Users should be trained to use the Offline Files feature so that this kind of disaster,
which is not uncommon, can be avoided. Offline Files synchronizes changed files only, so only
the updates she made would have been uploaded to the network, leaving the other execu-
tives’ changes intact.
3. You would like to test the restore procedures on your server, but would also like
to avoid affecting the production copies of the backed-up data. What is the best
restore location to use?
a. Original location
b. Alternate location
c. Single folder
The correct answer is b. Restoring to an alternate location will restore the folder structure and
files that were backed up. You can then compare the contents of the target location with the
original backed-up files to verify the success of the restore procedure.
Questions and Answers 7-45
Page Lesson 3 Review
7-35
1. Scott Bishop is a power user at a remote site that includes 20 users. The site has a
Windows Server 2003 system providing file and print servers. There is a tape drive
installed on the system. Because there is no local, full-time administrator at the
site, you want to allow Scott to back up and restore the server. However, you want
to minimize the power and the privileges that Scott obtains, limiting his capabili-
ties strictly to backup and restore. What is the best practice to provide Scott the
minimum necessary credentials to achieve his task?
Make Scott a member of the Backup Operators group. The Backup Operators group is
assigned, by default, the privilege to back up and restore files and folders.
2. Write the command that will allow you to fully back up the C:DataFinance
folder to a file called Backup.bkf in a share called Backup on Server02, with the
backup job name “Backup of Finance Folder.” Then, write the command that will
allow you to perform an incremental backup and append the backup set to the
same file, with the same backup job name.
ntbackup backup "c:datafinance" /J "Backup of Finance Folder" /F "server02
backupbackup.bkf"
ntbackup backup "c:datafinance" /J "Backup of Finance Folder" /F "server01
backupbackup.bkf" /a /m incremental
3. A user has deleted a file in a shared folder on a server. The user opens the prop-
erties of the folder and does not see a Previous Versions tab. Which of the follow-
ing might be true? (Choose all that apply.)
a. The folder is not enabled for Shadow Copy.
b. The volume on the server is not enabled for Shadow Copy.
c. The user doesn’t have permission to view the Shadow Copy cache.
d. The Shadow Copy client is not installed on the user’s machine.
e. The folder is on a FAT volume.
The correct answers are b, d, and e. Shadow Copy is enabled per volume, not per folder. Once
Shadow Copy is enabled, any user with the client installed will see a Previous Versions tab for
a file or folder that has changed. Shadow Copy is supported only on NTFS volumes.
Page Case Scenario Exercise
7-37
1. With the knowledge that so many files change almost daily, and that recovery
must be as quick as possible, what type of backup job should you consider run-
ning nightly?
Consider normal backups. There is so much change happening to the shared folder that you
are receiving less than a 50 percent benefit using a differential or incremental backup versus
7-46 Chapter 7 Backing Up Data
a normal backup; and nothing is faster to restore than a normal backup because the backup
set contains all the files to restore.
2. You configure a normal daily backup job to run at 12:00 midnight, after the last
shift has gone home for the evening. Unfortunately, you find that the backup job
is not completed by 4:00 A.M. when the morning shift arrives. How should you
modify your backup strategy?
Create a normal backup once a week, perhaps on Sunday, and then create differential backups
nightly during the week. Although differential and incremental backups are both available, dif-
ferential backups provide faster restore capability because the most recent differential backup
set includes all files that have been updated since the normal backup.
Page Troubleshooting Lab, Exercise 2: Plan the Recovery
7-39
1. How will you recover the missing data?
A normal backup includes all selected files. It is the baseline from which you begin to recover
from data loss. The differential backup includes all files that have changed since the normal
backup. After you have restored the normal backup, you can restore the most recent differential
backup. Keep in mind, however, that some of the files (Budget and Current) have been changed
by users subsequent to the overnight differential backup.
2. How will you prevent those newer files from being overwritten by files in the
backup set?
The Options dialog box includes a Restore Options tab that allows you to specify how files in
the backup set are written to the destination. You can direct the Backup Utility to overwrite files
only if the files on the disk are older than the files in the backup set. Files that are newer will
remain.
8 Printers
Exam Objectives in this Chapter:
■ Troubleshoot print queues
■ Monitor file and print servers. Tools might include Task Manager, Event Viewer,
and System Monitor.
Why This Chapter Matters
An administrator’s to-do list usually teems with items relating to printers. Whether
testing or deploying new printer hardware, troubleshooting print jobs, or securing
and monitoring printer utilization, you are apt to be almost as busy with printers
as with file and folder access.
Microsoft Windows Server 2003 provides a powerful feature set to support enter-
prise print services. This chapter introduces you to the setup and configuration of
printers on Windows Server 2003, the interaction between printers and the
Microsoft Active Directory directory service, connecting clients to network print-
ers, and monitoring and troubleshooting print services. You will learn how to
administer local, network, and Internet printers, and how to configure printers for
maximum flexibility and security.
Lessons in this Chapter:
■ Lesson 1: Installing and Configuring Printers . . . . . . . . . . . . . . . . . . . . . . . . 8-3
■ Lesson 2: Advanced Printer Configuration and Management . . . . . . . . . . . . 8-16
■ Lesson 3: Maintaining, Monitoring, and Troubleshooting Printers . . . . . . . . 8-29
Before You Begin
This chapter presents the skills and concepts related to administering printers running
from Windows Server 2003. This training kit presumes you have a minimum of 18
months of experience and a working knowledge of Active Directory directory service
and the Microsoft Management Console (MMC). However, because many administra-
tors come to Windows Server 2003 from other printer environments, including Novell
NetWare, and because printer terminology has changed slightly, this chapter’s first
lesson reviews fundamentals of printer configuration. Lesson 2 and Lesson 3 build on
those fundamentals to prepare you for advanced, flexible administration, support,
monitoring, and troubleshooting of printers in a Windows Server 2003 environment.
8-1
8-2 Chapter 8 Printers
Although it is advantageous to have a printer and two computers (a computer running
Windows Server 2003 and a client running Windows XP or Windows 2000 Profes-
sional), you can complete the exercises in this chapter without a printer and with only
one computer. Prepare the following:
■ A Windows Server 2003 (Standard or Enterprise) installed as Server01 and config-
ured as a domain controller in the domain contoso.com
■ A first-level organizational unit (OU) called Security Groups
■ The Active Directory Users And Computers console or a customized console with
the Active Directory Users And Computers snap-in
Lesson 1 Installing and Configuring Printers 8-3
Lesson 1: Installing and Configuring Printers
Windows Server 2003 supports powerful, secure, and flexible print services. By using
a computer running Windows Server 2003 to manage printers attached locally to the
computer or attached to the network, such printers can be made available to applica-
tions running locally on the computer running Windows Server 2003 or to users on any
client platform, including previous versions of Microsoft Windows as well as Netware,
UNIX, or Apple Macintosh clients. This lesson will examine the basic concepts, termi-
nology, and skills related to the setup of printers in Windows Server 2003.
After this lesson, you will be able to
■ Understand the model and terminology used for Windows printing
■ Install a logical printer on a print server for a network-attached printer
■ Prepare a print server to host clients, including computers running previous versions of
Windows
■ Connect a printer client to a logical printer on a print server
■ Manage print jobs
Estimated lesson time: 15 minutes
Understanding the Windows Server 2003 Printer Model
Windows Server 2003, and previous versions of Windows, support two types of printers:
■ Locally attached printers Printers that are connected to a physical port on a
print server, typically a universal serial bus (USB) or parallel port.
■ Network-attached printers Printers connected to the network instead of to a
physical port. A network-attached printer is a node on the network; print servers
can address the printer using a network protocol such as Transmission Control
Protocol/Internet Protocol (TCP/IP).
Each type of printer is represented on the print server as a logical printer. The logical
printer defines the characteristics and behavior of the printer. It contains the driver,
printer settings, print setting defaults, and other properties that control the manner in
which a print job is processed and sent to the chosen printer. This virtualization of the
printer by a logical printer allows you to exercise extraordinary creativity and flexibility
in configuring your print services.
Note In previous versions of Windows and in earlier versions of documentation, the printer
was referred to as the “print device” and the logical printer was referred to as the “printer.”
8-4 Chapter 8 Printers
There are two ways to implement printing to network-attached printers. One model is
created by installing logical printers on all computers and connecting those logical
printers directly to the network-attached printer. In this model, there is no print server;
each computer maintains its own settings, print processor, and queue. When users
examine the print queue, they see only the jobs they have sent to the printer. There is
no way for users to know what jobs have been sent to the printer by other users. In
addition, error messages appear only on the computer that is printing the current job.
Finally, all print job processing is performed locally on the user’s computer rather than
being offloaded to a print server.
Because of these significant drawbacks, the most typical configuration of printers in an
enterprise is a three-part model consisting of the physical printer itself, a logical printer
hosted on a print server, and printer clients connecting to the server’s logical printer.
This lesson focuses exclusively on such a structure, although the concepts and skills
discussed apply to other printer configurations.
Printing with a print server provides the following advantages:
■ The logical printer on the print server defines the printer settings and manages
printer drivers.
■ The logical printer produces a single print queue that appears on all client com-
puters, so users can see where their jobs are in relation to other users’ jobs.
■ Error messages, such as out-of-paper or printer-jam messages, are visible on all cli-
ents, so all users can know the state of the printer.
■ Most applications and most print drivers will offload some, or a significant
amount, of the print-job processing to the server, which increases the responsive-
ness of the client computers. In other words, when users click Print, their jobs are
sent quickly to the print server and users can resume their work while the print
server processes the jobs.
■ Security, auditing, monitoring, and logging functions are centralized.
Installing a Printer on Windows Server 2003
Printers are managed most commonly through the Printers And Faxes folder, which
integrates both printer and fax capabilities. The Add Printer Wizard guides you through
the printer setup. The most critical choices you must make are the following:
■ Local Or Network Printer This page of the Add Printer Wizard is shown in
Figure 8-1. When you set up a printer on a computer running Windows Server 2003,
the terms local printer and network printer have slightly different meanings from
what you might expect. A local printer is a logical printer that supports a printer
attached directly to the server or a stand-alone, network-attached printer. When you
direct the Add Printer Wizard to create a local printer by clicking Local Printer
Lesson 1 Installing and Configuring Printers 8-5
Attached To This Computer, the server can share the printer to other clients on the
network. A network printer, on the other hand, is a logical printer that connects to a
printer directly attached to another computer or to a printer managed by another
print server. The user interface can be misleading, so remember that, in the common
print server implementation, the print server will host local printers (whether the
printer hardware is attached to the computer or is network-attached), and worksta-
tions will create network printers connecting to the server’s shared logical printer.
f08nw01
Figure 8-1 The Local Or Network Printer page of the Add Printer Wizard
■ Select A Printer Port When you create a local printer on a print server, the Add
Printer Wizard asks you to specify the port to which the printer is attached. If the
port already exists, whether a local port such as LPT1 or a network port specified
by an IP address, select the port from the Use The Following Port drop-down list.
When setting up a logical printer for a network-attached printer for which a port
has not been created, click Create A New Port, select Standard TCP/IP Port, and
click Next. The Add Standard TCP/IP Printer Port Wizard appears. Clicking Next
prompts you for the IP address or DNS name of the printer. After the port has been
added, you are returned to the Add Printer Wizard.
■ Install Printer Software If Plug and Play does not detect and install the correct
printer automatically, you can select your printer from an extensive list that is cat-
egorized by manufacturer. If the printer does not appear on the list, you can click
Have Disk and install the printer from drivers supplied by the manufacturer.
■ Printer Name and Share Name Although Windows Server 2003 supports long
printer names and share names including spaces and special characters, it is best
practice to keep names short and simple. The entire qualified name including the
server name (for example, Server01PSCRIPT) should be 32 characters or fewer.
8-6 Chapter 8 Printers
The share name and the printer name appear and are used in different places
throughout the Windows user interface. Although the share name is independent
of, and can be different from, the printer name, many enterprises unify the printer
name and the share name to reduce confusion.
Configuring Printer Properties
After installing the logical printer, you can configure numerous properties by opening
the printer’s Properties dialog box, shown in Figure 8-2. The General tab allows you to
configure the printer name, location, and comments, all of which were initially config-
ured based on your responses to prompts in the Add Printer Wizard.
f08nw02
Figure 8-2 The General tab of a printer’s Properties dialog box
The Sharing tab shown in Figure 8-3 allows you to specify whether the logical printer
is shared, and is therefore available to other clients on the network, and whether the
printer is listed in Active Directory, a default setting for shared printers, that allows
users to easily search for and connect to printers.
Note You can use the Sharing tab to stop sharing a printer if you take a printer offline and
want to prevent users from accessing the printer.
Lesson 1 Installing and Configuring Printers 8-7
f08nw03
Figure 8-3 The Sharing tab of a printer’s Properties dialog box
During printer setup, Windows Server 2003 loads drivers onto the print server that sup-
port that printer for clients running Windows Server 2003, Windows XP, and Windows
2000. Printer drivers are platform-specific. If other platforms will be connecting to the
shared logical printer, install the appropriate drivers on the server so that Windows cli-
ents will download the driver automatically when they connect. Otherwise, you will be
prompted for the correct drivers on each individual client.
On the Sharing tab of the Properties dialog box, click Additional Drivers to configure
the print server to host drivers for computers running versions of Windows prior to
Windows 2000. When you select an earlier version of Windows, the server will prompt
you for the drivers for the appropriate platform and printer. Those drivers will be avail-
able from the printer’s manufacturer or sometimes on the original CD-ROM of the ear-
lier version of Windows.
By loading drivers on the server for all client platforms, you can centralize and facilitate
driver distribution. Client computers running Microsoft Windows NT, Windows 2000,
Windows XP, and Windows Server 2003 download the driver when they first connect
to the shared printer. They also verify that they have the current printer driver each
time they print and, if they do not, they download the updated driver. For these client
computers, you need only update printer drivers on the print server. Client computers
running Windows 95 or Windows 98 do not check for updated printer drivers once the
driver is initially downloaded and installed. You must manually install updated printer
drivers on these clients.
Other printer properties will be discussed later in this chapter.
8-8 Chapter 8 Printers
Tip You can access other servers’ printer folders by browsing the network or by choosing
the Run command from the Start menu and typing server_name. You can drag those serv-
ers’ Printer And Faxes folders to your own, giving you easy access to manage remote printers.
Connecting Clients to Printers
Printers that have been set up as logical printers on a print server can be shared to
other systems on the network. Those systems will also require logical printers to rep-
resent the network printer.
Configuring a print client can be done in several ways, including the Add Printer Wiz-
ard, which can be started from the Printers And Faxes folder or from the common Win-
dows Print dialog box in almost all Microsoft applications, including Internet Explorer
and Notepad. On the Local or Network Printer page, select A Network Printer Or A
Printer Attached To Another Computer. When prompted for the printer name, you can
search Active Directory, enter the Universal Naming Convention (UNC) (for example,
ServerPrintersharename) or Uniform Resource Locator (URL) to the printer, or
browse for the printer using the Browser service.
One of the more efficient ways to set up print clients is to search Active Directory for
the printer. In the Specify A Printer page of the Add Printer Wizard, choose Find A
Printer In The Directory and click Next. The Find Printers dialog box appears, as
shown in Figure 8-4, and you can enter search criteria including printer name, location,
model, and features. Wildcards can be used in many of the criteria. Click Find Now and
a result set is displayed. Select the printer and click OK. The Add Printer Wizard then
steps you through remaining configuration options.
Tip You can save a search by choosing Save Search from the File menu. As an administra-
tor, you can create and save custom searches to users’ desktops, allowing them to easily
locate predefined subsets for the printers in your enterprise.
A logical printer includes the drivers, settings, and print queue for the printer on the
selected port. When you double-click a printer in the Printers And Faxes folder, a win-
dow opens that displays the jobs in the printer’s queue. By right-clicking any job, you
can pause, resume, cancel, or restart the job. From the Printer menu, you can also
pause or cancel all printing, access the printer properties, or set the printer as default
or offline. Your ability to perform each of these actions depends, of course, upon the
permissions on the printer’s access control list.
Lesson 1 Installing and Configuring Printers 8-9
f08nw04
Figure 8-4 The Find Printers dialog box
As an alternative to using the Add Printer Wizard, if you are using Windows Server
2003 or Windows XP with the default Start menu, perform the following steps to con-
figure a print client:
1. Click Start, and then select Search.
2. In the Search Companion pane, click Other Search Options, and then click Printers,
Computers, Or People. Click A Printer On The Network.
3. The Find Printers dialog box will be displayed, allowing you to search for the
printer using various criteria.
4. After entering the desired criteria, click Find Now.
Practice: Installing and Configuring a Printer
In this practice, you will set up a logical printer on a print server and simulate connect-
ing a client to the shared printer. You will then send a print job to the printer.
You do not need to have a print device connected to Server01 or to the network, nor
are you required to have a second computer to act as a print client. However, if you
have access to these additional components, you are encouraged to implement the
exercises using that extra hardware.
Exercise 1: Add a Local Printer and Configure Print Sharing
In this exercise, you use the Add Printer Wizard to add a logical printer to Server01.
The printer will connect to a network-attached HP LaserJet 8100 that is connected to
8-10 Chapter 8 Printers
the network at IP address 10.0.0.51. You do not need an actual printer to complete this
exercise.
1. Log on to Server01 as Administrator.
2. Open the Printers And Faxes folder.
3. Double-click Add Printer. The Add Printer Wizard appears.
4. Click Next. The Local Or Network Printer page appears.
You are prompted for the location of the printer. Although the printer is attached
to the network, the logical printer serving that printer is being added to Server01,
so the printer is referred to as a local printer.
5. Verify that the Local Printer option is selected and that the Automatically Detect
And Install My Plug And Play Printer check box is cleared (because you are con-
figuring a printer for a fictional device), and then click Next.
6. The Select A Printer Port page appears. Click Create A New Port.
7. Select Standard TCP/IP Port from the Type Of Port drop-down list.
The port types that will be available, other than local port, depend on the installed
network protocols. In this case, TCP/IP is installed, so this protocol-based port is
available.
8. Click Next. The Add Standard TCP/IP Printer Port Wizard appears.
9. Click Next.
10. Enter the IP Address: 10.0.0.51 and accept the default port name, IP_10.0.0.51.
11. Click Next.
Because a print device is not actually attached to the network at that address, there
will be a delay while the Wizard attempts to locate and identify the printer. You
will also be prompted to specify the type of network interface.
12. Select Hewlett Packard Jet Direct as the device type.
13. Click Next, and then click Finish. The Add Standard TCP/IP Printer Port Wizard
closes, returning you to the Add Printer Wizard.
The Wizard prompts you for the printer manufacturer and model. You will add an
HP LaserJet 8100 Series PCL printer.
Tip The printers list is sorted in alphabetical order. If you cannot find a printer name, make
sure that you are looking in the correct location.
Lesson 1 Installing and Configuring Printers 8-11
14. From the Manufacturer list, click HP; from the Printers list, scroll down the list,
click HP LaserJet 8100 Series PCL, and then click Next.
The Name Your Printer page appears. The default name in the Printer Name field
is the printer model, HP LaserJet 8100 Series PCL. The name you enter should con-
form to naming conventions in your enterprise. For this exercise, enter the name
HPLJ8100.
15. Type HPLJ8100 and click Next.
The Printer Sharing page appears, prompting you for printer-sharing information.
The share name should also reflect naming conventions in your enterprise. As dis-
cussed earlier, the printer’s UNC (that is, ServernamePrintersharename) should
not exceed 32 characters.
16. Verify that the Share Name option is selected.
17. In the Share Name text box, type HPLJ8100, and then click Next.
The Location And Comment page appears.
Note The Add Printer Wizard displays the values you enter for the Location and Comment
text boxes when a user searches Active Directory for a printer. Entering this information is
optional, but doing so helps users locate the printer.
18. In the Location text box, type USA/NYC/1802Americas/42/B.
19. In the Comment text box, type Black and White Output Laser Printer-High
Volume.
20. Click Next.
The Print Test Page screen appears. A test page that prints successfully would con-
firm that your printer is set up properly.
21. Choose No (because the printer doesn’t exist) and click Next. The Completing The
Add Printer Wizard page appears and summarizes your installation choices.
22. Confirm the summary of your installation choices, and then click Finish.
An icon for the printer appears in the Printers And Faxes window. Notice that
Windows Server 2003 displays an open hand beneath the printer icon. This indi-
cates the printer is shared. Also notice the check mark next to the printer, which
indicates the printer is the default printer for the print server.
23. Keep the Printers And Faxes window open because you will need it to complete
the next exercise.
8-12 Chapter 8 Printers
Exercise 2: Connect a Client to a Printer
If you have access to a second computer, you would install on each workstation a
printer that connects to the shared printer on Server01. In this practice, you are
required to have only one computer (Server01), but you can simulate connecting a
printer client to the server’s logical printer.
1. Open the Printers And Faxes folder.
2. Start the Add Printer Wizard and click Next.
3. In the Local Or Network Printer dialog box, select A Network Printer, Or A Printer
Attached To Another Computer and click Next.
4. Confirm that Find A Printer In The Directory is selected and click Next. The Find
Printers dialog box appears.
5. In the Location box, type *NYC* and then click Find Now.
6. Select the printer HPLJ8100 in the results list and click OK.
7. On the Add Printer Wizard’s Default Printer page, select Yes and then click Next.
8. Click Finish.
You will not see a new printer icon in the Printers And Faxes folder because it is
not possible to create a printer client to a logical printer on the same computer. If
you conduct this exercise on a second computer, you will see the icon for the new
printer appear.
Exercise 3: Take a Printer Offline and Print a Test Document
In this exercise, you set the printer you created to offline status. Taking a printer offline
causes documents you send to this printer to be held in the print queue while the print
device is unavailable. Doing this will prevent error messages about unavailable print
devices from occurring in later exercises. Otherwise, Windows Server 2003 will display
error messages when it attempts to send documents to the fictional print device that is
not actually available to the computer.
1. In the Printers And Faxes window, right-click the HPLJ8100 icon.
2. Choose Use Printer Offline. Notice that the icon appears dimmed to reflect that the
printer is not available, and the status appears as Offline.
3. Double-click the HPLJ8100 icon. Notice that the list of documents to be sent to the
print device is empty.
4. Click the Start menu, point to Programs, point to Accessories, and then click
Notepad.
5. In Notepad, type any sample text that you want.
6. Arrange Notepad and the HPLJ8100 window so that you can see the contents of each.
Lesson 1 Installing and Configuring Printers 8-13
7. From the File menu in Notepad, select Print. The Print dialog box appears, allow-
ing you to select the printer and print options.
The Print dialog box displays the location and comment information you entered
when you created the printer, and it shows HPLJ8100 as the default and selected
printer and indicates that the printer is offline.
8. Click Print. Notepad briefly displays a message stating that the document is print-
ing on your computer. On a fast computer, you might not see this message.
In the HPLJ8100–Use Printer Offline window, you will see the document waiting
to be sent to the print device. The document is held in the print queue because
you took the printer offline. If the printer were online, the document would be
sent to the print device.
9. Close Notepad, and click No when prompted to save changes to your document.
10. Select the document in the HPLJ8100 window and, from the Printer menu, select
Cancel All Documents. A Printers message box appears, asking if you are sure you
want to cancel all documents for HPLJ8100.
11. Click Yes. The document is removed.
12. Close the HPLJ8100–Use Printer Offline window.
13. Close the Printers And Faxes window.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. You’re setting up a printer on your computer running Windows Server 2003. The
computer will be used as a print server on your network. You plan to use a print
device that’s currently connected to the network as a stand-alone print device.
Which type of printer should you add to the print server? (Choose all that apply.)
a. Network
b. Shared
c. Local
d. Remote
8-14 Chapter 8 Printers
2. You’re installing a printer on a client computer. The printer will connect to a logi-
cal printer installed on a Windows Server 2003 print server. What type or types of
information could you provide to set up the printer? (Choose all that apply.)
a. TCP/IP printer port
b. Model of the print device
c. URL to printer on print server
d. UNC path to print share
e. Printer driver
3. One of your printers is not working properly, and you want to prevent users from
sending print jobs to the logical printer serving that device. What should you do?
a. Stop sharing the printer
b. Remove the printer from Active Directory
c. Change the printer port
d. Rename the share
4. You’re administering a computer running Windows Server 2003 configured as a
print server. You want to perform maintenance on a print device connected to the
print server. There are several documents in the print queue. You want to prevent
the documents from being printed to the printer, but you don’t want users to have
to resubmit the documents to the printer. What is the best way to do this?
a. Open the printer’s Properties dialog box, select the Sharing tab, and then
select the Do Not Share This Printer option.
b. Open the printer’s Properties dialog box and select a port that is not associ-
ated with a print device.
c. Open the printer’s queue window, select the first document, and then select
Pause from the Document window. Repeat the process for each document.
d. Open the printer’s queue window and select the Pause Printing option from
the Printer menu.
Lesson 1 Installing and Configuring Printers 8-15
Lesson Summary
■ A printer client submits a print job to a print server, which in turn sends the job to
the printer. The printer client and the print server each maintain a logical printer
representing the printer.
■ A local printer is one that supports a printer directly attached to the computer or
attached to the network.
■ A network printer connects to a logical printer maintained by another computer:
a print server.
■ Microsoft Windows clients will download the printer driver automatically from the
logical printer on the print server. Printers can be added using the printer’s Sharing
property page.
8-16 Chapter 8 Printers
Lesson 2: Advanced Printer Configuration and Management
In the previous lesson, you learned that the Windows printer model is best leveraged
when a logical printer is created to support a physical device—either directly attached
to the computer or attached to the network—and when that logical printer is shared to
printer clients. That logical printer on the print server becomes a central point of con-
figuration and management. The drivers that you install on the printer are downloaded
automatically by Windows clients, and the settings you configure for the printer are
distributed as the settings for each of the printer’s clients.
This lesson takes this virtualization of printers as logical devices to the next level. After
examining printer properties, including printer security, you will learn how to create
printer pools to provide faster turnaround for client print jobs. You will also learn how
to make better use of your printers by creating more than one logical printer for a
device to configure, manage, or monitor print jobs or printer usage more effectively.
Finally, you will learn how to manage Active Directory printer objects and Internet
printing.
After this lesson, you will be able to
■ Manage and configure printer properties
■ Create a printer pool
■ Configure multiple logical printers to support a single printer
■ Manage and connect to printers using Active Directory and Internet Printing Protocol
(IPP)
Estimated lesson time: 30 minutes
Managing Printer Properties
Printers and print jobs are managed from their Properties dialog boxes. These Proper-
ties dialog boxes can be accessed from the Printers And Faxes folder. Right-click a
printer and select Properties to configure a printer. Double-click a printer and, in the
print queue, right-click a print job and choose Properties to configure a print job. The
initial properties of a print job are inherited from the properties of the printer itself. But
a print job’s default properties can be modified independently of the printer’s.
Controlling Printer Security
Windows Server 2003 allows you to control printer usage and administration by assign-
ing permissions through the Security tab of the printer’s Properties dialog box. You can
assign permissions to control who can use a printer and who can administer the printer
or documents processed by the printer. A typical printer Security tab of a printer’s
Properties dialog box is shown in Figure 8-5.
Lesson 2 Advanced Printer Configuration and Management 8-17
f08nw05
Figure 8-5 The Security tab of a printer’s Properties dialog box
You can use a printer’s access control list (ACL) to restrict usage of a printer and to
delegate administration of a printer to users who are not otherwise administrators.
Windows Server 2003 provides three levels of printer permissions: Print, Manage Print-
ers, and Manage Documents.
By default, the Print permission is assigned to the Everyone group. Choosing this per-
mission allows all users to send documents to the printer. To restrict printer usage,
remove this permission and assign Allow Print permission to other groups or individual
users. Alternatively, you can deny Print permission to groups or users. As with file sys-
tem ACLs, denied permissions override allowed permissions. Also, like file system
ACLs, it is best practice to restrict access by assigning allow permissions to a more
restricted group of users rather than by granting permissions to a broader group and
then having to manage access by assigning additional deny permissions.
The Manage Documents permission provides the ability to cancel, pause, resume, or
restart a print job. The Creator Owner group is allowed Manage Documents permis-
sion. Because a permission assigned to Creator Owner is inherited by the user who cre-
ates an object, this permission enables a user to cancel, pause, resume, or restart a print
job that he or she has created. The Administrators, Print Operators, and Server Opera-
tors groups are also allowed the Manage Documents permission, which means they
can cancel, pause, resume, or restart any document in the print queue. Those three
groups are also assigned the Allow Manage Printers permission, which enables them to
modify printer settings and configuration, including the ACL itself.
8-18 Chapter 8 Printers
Tip If a printer’s security is not a major concern, you can delegate administration of the
printer by assigning a group, such as the <Printer> Users group, Manage Documents or even
Manage Printers permission.
Assigning Forms to Paper Trays
If a print device has multiple trays that regularly hold different paper sizes, you can
assign a form to a specific tray. A form defines a paper size. When users print a docu-
ment of a particular paper size, Windows Server 2003 automatically routes the print job
to the paper tray that holds the correct form. Examples of forms include Legal, Letter,
A4, Envelope, and Executive.
To assign a form to a paper tray, select the Device Settings tab of the printer’s Proper-
ties dialog box, as shown in Figure 8-6. The number of trays shown in the Form To
Tray Assignment section obviously depends on the type of printer you have installed
and the number of trays it supports. Further down the Device Settings tree are settings
to indicate the installation state of printer options such as additional paper trays, paper
handling units, fonts, and printer memory.
f08nw06
Figure 8-6 The Device Settings tab of a printer’s Properties dialog box
Print Job Defaults
The General tab of the printer’s Properties dialog box includes a Printing Preferences
button, and the Advanced tab includes a Printing Defaults button. Both of these but-
tons display a dialog box that lets you control the manner in which jobs are printed by
the logical printer, including page orientation (portrait or landscape), double-sided
Lesson 2 Advanced Printer Configuration and Management 8-19
printing (if supported), paper source, resolution, and other document settings. These
dialog boxes are identical to each other and are also identical to the dialog box a user
receives when clicking Properties in a Print dialog box.
Why are there three print job Properties dialog boxes? The Printing Defaults dialog box
configures default settings for all users of the logical printer. If the printer is shared, its
printing defaults become the default properties for all printers connected from clients
to the shared printer. The Printing Preferences dialog box configures the user-specific,
personal preferences for a printer. Any settings in the Printing Preferences dialog box
override printing defaults. The Properties dialog box that can be accessed by clicking
Properties in a Print dialog box configures the properties for the specific job that is
printed. Those properties will override both printing defaults and printing preferences.
This triad of print job properties sets allows administrators to configure a printer cen-
trally by setting printing defaults on the shared logical printer and allows flexibility and
decentralized configuration by users or on a document-by-document basis.
Printer Schedule
The Advanced tab of a printer’s Properties dialog box, as shown in Figure 8-7, allows
you to configure numerous additional settings that drive the behavior of the logical
printer, its print processor, and spool. Among the more useful and interesting settings
is printer’s schedule.
f08nw07
Figure 8-7 The Advanced tab of a printer’s Properties dialog box
8-20 Chapter 8 Printers
The logical printer’s schedule determines when a job is released from the spool, or
queue, and sent to the printer itself. A user with Allow Print permission can send a job
to the printer at any time, but the job will be held until the printer’s schedule allows it
to be directed to the printer’s port. Such a configuration is not appropriate for normal,
day-to-day printers. However, a schedule is invaluable for situations in which users are
printing large jobs, and you want those jobs to print after hours or during periods of
low use. By configuring a printer’s schedule to be available during night hours, users
can send the job to the printer during the day, the printer will complete the jobs over-
night, and the users can pick up those printing jobs the next morning.
Tip When you set up a printer pool, place the print devices in the same physical location so
that users can easily locate their documents. When users print to a printer pool, there is no
way to know which individual printer actually printed the job.
Setting Up a Printer Pool
A printer pool is one logical printer that supports multiple physical printers, attached to
the server, attached to the network, or a combination thereof. When you create a printer
pool, users’ documents are sent to the first available printer—the logical printer repre-
senting the pool automatically checks for an available port.
Printer pooling is configured from the Ports tab of the printer’s Properties dialog box.
To set up printer pooling, select the Enable Printer Pooling check box, and then select
or add the ports containing print devices that will be part of the pool. Figure 8-8 shows
a printer pool connected to three network-attached printers.
f08nw08
Figure 8-8 The Ports tab of a printer pool’s Properties dialog box showing a three-printer pool
Lesson 2 Advanced Printer Configuration and Management 8-21
! Exam Tip The driver used by the printer pool must be compatible with all printers to which
the pool directs print jobs.
Configuring Multiple Logical Printers for a Single Printer
Although a printer pool is a single logical printer that supports multiple ports, or print-
ers, the reverse structure is more common and more powerful: multiple logical printers
supporting a single port, or printer. By creating more than one logical printer directing
jobs to the same physical printer, you can configure different properties, printing
defaults, security settings, auditing, and monitoring for each logical printer.
For example, you might want to allow executives at Contoso, Ltd. to print jobs imme-
diately, bypassing documents that are being printed by other users. To do so, you can
create a second logical printer directing to the same port (the same physical printer) as
the other users, but with a higher priority.
Use the Add Printer Wizard to generate an additional logical printer. To achieve a mul-
tiple logical printer-single port structure, additional printers use the same port as an
existing logical printer. The printer name and share name are unique. After the new
printer has been added, open its properties and configure the drivers, ACL, printing
defaults, and other settings of the new logical printer.
To configure high priority for the new logical printer, click the Advanced tab and set
the priority in the range of 1 (lowest) to 99 (highest). Assuming that you assigned 99 to
the executives’ logical printer, and 1 to the printer used by all users, documents sent to
the executives’ printer will print before documents queued in the users’ printer. An
executive’s document will not interrupt a user’s print job. However, when the printer is
free, it will accept jobs from the higher-priority printer before accepting jobs from the
lower-priority printer. To prevent users from printing to the executives’ printer, config-
ure its ACL and remove the print permission assigned to the Everyone group, and
instead allow only the executives’ security group print permission.
! Exam Tip Remember that a printer pool is a single logical printer serving multiple ports,
and all other variations on the standard print client—print server—printer structure are
achieved by creating multiple logical printers serving a single port.
Windows Server 2003 Printer Integration with Active Directory
The print subsystem of Windows Server 2003 is tightly integrated with Active Directory,
making it easy for users and administrators to search for and connect to printers
throughout an enterprise. All required interaction between printers and Active Direc-
tory is configured, by default, to work without administrative intervention. You need to
make changes only if the default behavior is not acceptable.
8-22 Chapter 8 Printers
When a logical printer is added to a Windows Server 2003 print server, the printer is
automatically published to Active Directory. The print server creates a printQueue
object and populates its properties based on the driver and settings of the logical
printer.
Off the Record The printer objects are not easy to find in Active Directory Users and Com-
puters. You must use the Find Objects In Active Directory button on the MMC toolbar or select
View Users, Groups, And Computers As Containers from the View menu, at which point
printer objects will become visible inside the print server. The printer is placed in the print
server’s computer object in the Active Directory service. The object can be moved to any OU.
When any change occurs in the printer’s configuration, the Active Directory printer
object is updated. All the configuration information is sent again to the Active Directory
store even if some of it has remained unchanged.
Planning Creation and updating of printer objects happens relatively quickly, but objects
and attributes must be replicated before they affect the results of a Find Printers operation
from a client. Replication latency depends on the size of your enterprise and your replication
topology.
If a print server disappears from the network, its printer object is removed from Active
Directory. The printer Pruner service confirms the existence of shared printers repre-
sented in Active Directory by contacting the shared printer every eight hours. A printer
object will be pruned if the service is unable to contact the printer two times in a row.
This might occur if a print server is taken offline. It will happen regularly if printers are
shared on Windows 2000 or Windows XP workstations that are shut off overnight or on
weekends. However, a print server will re-create the printer objects for its printers
when the machine starts or when the spooler service is restarted. So, again, adminis-
trative intervention is not required.
Publishing Windows Printers
Printers that are added by using the Add Printer Wizard are published by default. The
Add Printer Wizard does not allow you to prevent the printer from being published to
the Active Directory service when you install or add a printer.
If you want to re-publish a printer (for example, after updating its name or other prop-
erties), or if you do not want a shared printer published in Active Directory, open the
printer’s Properties dialog box, click the Sharing tab, and select or clear the List In The
Directory check box.
Lesson 2 Advanced Printer Configuration and Management 8-23
Note A printer connected to a local port is likely to be detected and installed automatically
by Plug And Play. In this case, you must share and publish the printer manually using the
Sharing tab.
Logical printers that are shared on computers running Windows NT 4 or Windows NT
3.51 are not published automatically but can be manually published using the Active
Directory Users And Computers MMC. Simply right-click the OU or other container in
which you want to create the printer and choose New Printer.
Planning You should add only printer objects that map to printers on pre–Windows 2000
computers. Do not add printer objects for printers on computers running Windows 2000 or
later; allow those printers to publish themselves automatically.
Manually Configuring Printer Publishing Behavior
All the default system behaviors described above can be modified using local or group
policy. Printer policies are located in the Computer Configuration node, under Admin-
istrative Templates. For a description of each of these policies, open the Properties dia-
log box for a specific policy and click the Explain tab.
Printer Location Tracking
Printer location tracking is a feature, disabled by default, that significantly eases a user’s
search for a printer in a large enterprise by pre-populating the Location box of the Find
Printers dialog box, so that the result set will automatically be filtered to list printers in
geographic proximity to the user.
To prepare for printer location tracking, you must have one or more sites or one or
more subnets. Site and subnet objects are created and maintained using the Active
Directory Sites And Services MMC or snap-in. You must also configure the Location tab
of the site or subnet Properties dialog box using a naming convention that creates a
hierarchy of locations, separated by slashes. For example, the location USA/NYC/
1802Americas/42/B might refer to a building at 1802 Avenue of the Americas in Man-
hattan, on the 42nd floor in Area B. A location may span more than one subnet or more
than one site.
You must then enable printer location tracking using the Pre-Populate Printer Search
Location Text policy.
Active Directory is able to identify a computer’s site or subnet affiliation based on the
computer’s IP address. When the Find Printers dialog box is invoked, the computer’s
location, as defined in its corresponding site or subnet object, will be automatically
8-24 Chapter 8 Printers
placed in the Location box. A Browse button will also appear, enabling a user to
browse the location hierarchy for printers in other locations.
This powerful feature simplifies printer administration and setup considerably. How-
ever, it obviously requires careful planning on the back end to ensure that all subnets
are defined, and that a reasonable, hierarchical location naming convention has been
applied consistently. More information about this feature is available in the online Help
and Support Center.
Internet Printing
Windows Server 2003 supports an additional set of functionality through the IPP, which
enables users to connect to printers and send print jobs over encapsulated Hypertext
Transfer Protocol (HTTP). Internet printing also gives administrators the option to man-
age and configure printers using any variety of Internet browsers and platforms.
Setting Up Internet Printing
Internet printing is not installed or enabled by default in Windows Server 2003. You
must install Internet Information Services (IIS), as discussed in Chapter 6, “Files and
Folders.” Internet printing is available for installation when you install IIS. To install
Internet printing, perform the following steps:
1. Open Add/Remove Programs in Control Panel and click Add/Remove Windows
Components.
2. Select Application Server and click Details.
3. Select Internet Information Services (IIS) and click Details.
4. Select Internet Printing.
Once IIS and Internet printing are installed, you can disable or enable the feature using
the IIS snap-in or console. Expand the server’s node and click Web Service Extensions.
In the details pane, select Internet Printing, and click Prohibit or Allow.
Internet printing creates a Printers virtual directory under the Default Web site. This vir-
tual directory points to %Systemroot%WebPrinters. The printer site is accessed using
Microsoft Internet Explorer 4.01 and later by typing the address of the print server in
the Address box followed by the Printers virtual directory name. For example, to access
the Internet printing page for Server01, type http://Server01/printers/.
Note You can configure authentication and access security for Internet printing using the
virtual directory’s Properties dialog box.
Lesson 2 Advanced Printer Configuration and Management 8-25
Using and Managing Internet Printers
You can connect to http://printserver/printers to view all printers on the print server.
After locating the desired printer and clicking it, a Web page for that printer is displayed.
As a shortcut, if you know the exact name of the printer to which you want to connect,
type the address of the printer using the following format:
http://printserver/printersharename/
Once the printer’s Web page is displayed, you can connect to or manage the printer,
assuming you have been allowed appropriate security permissions. When you click
Connect on the printer’s Web page, the server generates a .cab file that contains the
appropriate printer driver files and downloads the .cab file to the client computer. The
printer that is installed is displayed in the Printers folder on the client. The printer can
then be used and managed from the Printers And Faxes folder like any other printer.
Using a Web browser to manage printers has several advantages:
■ It allows you to administer printers from any computer running a Web browser,
regardless of whether the computer is running Windows Server 2003 or has the
correct printer drivers installed.
■ It allows you to customize the interface. For example, you can create your own
Web page containing a floor plan with the locations of the printers and the links
to the printers.
■ It provides a summary page listing the status of all printers on a print server.
■ Internet printing can report real-time print device data, such as whether the print
device is in power-saving mode, if the printer driver makes such information avail-
able. This information is not available from the Printers And Faxes window.
Practice: Advanced Printer Configuration and Management
In this practice, you will configure printer pooling and configure a second logical
printer to a single network-attached printer.
Exercise 1: Configure Printer Pooling
1. From the Printers And Faxes window, create a new printer. If you need guidance
for how to create a printer, follow the steps in Lesson 1, Exercise 1. The printer
should direct to the network address 10.0.0.52 (a new port). Configure the printer
as an HP LaserJet 8100 Series PCL, and use PrinterPool as the printer name and the
share name. All other properties, including location and comment, are the same as
in Lesson 1, Exercise 1.
2. Open the properties of PrinterPool.
8-26 Chapter 8 Printers
3. Click the Ports tab.
4. Select the Enable Printer Pooling check box, and then click the check box next to
the port IP_10.0.0.51.
5. Click Apply. Both network ports are now selected.
Will users sending print jobs to HPLJ8100 benefit from printer pooling?
No. Printer pooling was configured for the shared printer named PrinterPool. Print jobs sent to
PrinterPool can print to the printers at 10.0.0.51 and 10.0.0.52. Print jobs sent to HPLJ8100
can print only to the printer at 10.0.0.51.
Exercise 2: Configure Multiple Logical Printers for a Single Printer
1. From the Printers And Faxes window, create a new printer. If you need guidance
for how to create a printer, follow the steps in Lesson 1, Exercise 1. The printer
should direct to the network IP address 10.0.0.52 (note the port already exists).
Configure the printer as an HP LaserJet 8100 Series PCL, and use PriorityPrinter as
the printer name and the share name. All other properties, including location and
comment, are the same as in Lesson 1, Exercise 1.
2. Open the properties of PriorityPrinter.
3. Click the Advanced tab.
4. Set the Priority to 99 (highest).
Exercise 3: Examine Active Directory Printer Objects
1. Open Active Directory Users And Computers.
2. From the View menu, select Users, Groups, And Computers As Containers.
3. Expand the Domain Controllers OU. Note that Server01 appears as a subcontainer.
4. Select Server01 in the tree.
The printer objects appear in the details pane. If objects do not appear for the
printers you created in Exercises 1 and 2, wait a few minutes. The print server may
take a moment to publish its printers to Active Directory. You may need to press
F5 (refresh) to see the printer objects once they are published.
5. Open the properties of the PriorityPrinter object.
Note the differences between the properties that are published to Active Directory
and the properties that you would see for the printer in the Printers And Faxes
folder. Active Directory maintains a more limited number of properties—the prop-
erties that are most likely to be used in a search for a printer. Note also that chang-
ing a property in Active Directory does not change the property of the printer; but
changing a property of the printer will, eventually, update the corresponding
property in the Active Directory printer object.
Lesson 2 Advanced Printer Configuration and Management 8-27
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. You’re administering a computer running Windows Server 2003 configured as a
print server. Users in the Marketing group complain that they cannot print docu-
ments using a printer on the server. You view the permissions in the printer’s
properties. The Marketing group is allowed Manage Documents permission. Why
can’t the users print to the printer?
a. The Everyone group must be granted the Manage Documents permission.
b. The Administrators group must be granted the Manage Printers permission.
c. The Marketing group must be granted the Print permission.
d. The Marketing group must be granted the Manage Printers permission.
2. You’re setting up a printer pool on a computer running Windows Server 2003. The
printer pool contains three print devices, all identical. You open the properties for
the printer and select the Enable Printer Pooling option on the Ports tab. What
must you do next?
a. Configure the LPT1 port to support three printers.
b. Select or create the ports mapped to the three printers.
c. On the Device Settings tab, configure the installable options to support two
additional print devices.
d. On the Advanced tab, configure the priority for each print device so that
printing is distributed among the three print devices.
3. You’re the administrator of the computer running Windows Server 2003 that is
configured as a print server, and you want to administer the print services from a
Web browser on a client computer. The server is named Mktg1, but you don’t
know the share name of the printer. Which URL should you use to connect to the
printer?
a. http://mktg1/printers
b. http://printers/mktg1
c. http://windows/web/printers
d. http://windows/mktg1
8-28 Chapter 8 Printers
4. You want to configure a logical printer so that large, low-priority documents will
be printed overnight. Which of the following options will you configure in the
printer’s Properties dialog box?
a. Priority
b. Available From / To
c. Start Printing After Last Page Is Spooled
d. Print Directly To The Printer
e. Keep Printed Documents
Lesson Summary
The Windows printer model supports the creative and flexible use of printers through
logical printers. You can add one logical printer that sends jobs to multiple devices (a
printer pool) or multiple logical printers that send jobs to one device, with each logical
printer preconfigured with printer settings, print defaults, and permissions to support a
particular type of printing task.
Printers are published to Active Directory, making it easy for users to find and connect
to printers. Windows Server 2003 supports printer location tracking, which further sim-
plifies printer searches. It is even possible to administer and print to printers over the
intranet or Internet using IPP.
Lesson 3 Maintaining, Monitoring, and Troubleshooting Printers 8-29
Lesson 3: Maintaining, Monitoring, and
Troubleshooting Printers
Once logical printers have been set up, configured, and shared on print servers, and
once clients have been connected to those printers, you must begin to maintain and
monitor those logical and physical printers. This lesson will give you guidance in the
maintenance and troubleshooting of printers in a Windows Server 2003 environment.
You will learn to support printer drivers, to redirect printers, to configure performance
and utilization logs, and to methodically troubleshoot print errors.
After this lesson, you will be able to
■ Manage printer drivers
■ Redirect a printer
■ Monitor printer performance
■ Audit printer access
■ Troubleshoot printer failures
Estimated lesson time: 20 minutes
Maintaining Printers
There are no regular maintenance tasks for the print service on a computer running
Windows Server 2003. The maintenance tasks defined below are typically performed on
a periodic, as-needed basis. Keep in mind that when managing printers, actions may
affect an entire printer or all printers on the print server, not just individual print jobs.
Managing Printer Drivers
The first grouping of maintenance tasks relates to drivers on the print server. As men-
tioned earlier in the lesson, it is helpful to install drivers for all client platforms that will
use a particular shared printer. Windows clients will download the driver automatically
when they connect to the printer. Drivers for various platforms are installed by clicking
Additional Drivers on the Sharing tab of a printer’s Properties dialog box.
To update drivers for a single logical printer, select the Advanced tab of the Properties
dialog box and click New Driver. You will then be able to select additional drivers by
indicating the manufacturer and model or by clicking Have Disk and providing the
manufacturer’s drivers.
You can also manage drivers for the print server as a whole. In the Printers And Faxes
folder, select Server Properties from the File menu and click the Drivers tab. Here you
can add, remove, reinstall, or access the properties of each of the drivers on the print
server. Changes made to these drivers will affect all printers on the server.
8-30 Chapter 8 Printers
If you want to list all of the files related to a particular printer driver, open the print
server’s Drivers tab select the driver, and click Properties. The names and descriptions of
all the files that are part of the specific driver will appear. From this list, it is possible to
view details regarding any of the files by selecting the file and then clicking Properties.
Redirecting Print Jobs
If a printer is malfunctioning, you can send documents in the queue for that printer to
another printer connected to a local port on the computer or attached to the network.
This is called redirecting print jobs. It allows users to continue sending jobs to the log-
ical printer and prevents users with documents in the queue from having to resubmit
the jobs.
To redirect a printer, open the printer’s Properties dialog box and click the Ports tab.
Select an existing port or add a port. The check box of the port of the malfunctioning
printer is immediately cleared unless printer pooling is enabled, in which case you
must manually clear the check box.
Because print jobs have already been prepared for the former printer, the printer on
the new port must be compatible with the driver used in the logical printer. All print
jobs are now redirected to the new port. You cannot redirect individual documents. In
addition, any documents currently printing cannot be redirected.
Monitoring Printers
Windows Server 2003 provides several methods to monitor printers and printing
resources.
Using System Monitor and Performance Logs and Alerts
The System Monitor and Performance Logs And Alerts snap-ins, both of which are
included in the Performance MMC, allow you to observe real-time performance of print-
ers, log metrics for later analysis, or set alert levels and actions. System Monitor and Per-
formance Logs And Alerts are discussed in detail in Chapter 12, “Monitoring Microsoft
Windows Server 2003.” To add a counter to System Monitor, right-click the graph area
and choose Add Counters. Select the performance object (in this case Print Queue), the
desired counters, and the instance representing the logical printer to monitor.
After selecting Print Queue as the performance object, a list of all available perfor-
mance counters is provided. You can select any counter and click Explain to learn
about that particular performance metric.
Lesson 3 Maintaining, Monitoring, and Troubleshooting Printers 8-31
The most important performance counters for monitoring printing performance are the
following:
■ Bytes Printed/Sec The number of bytes of raw data per second that are sent to
the printer. Low values for this counter can indicate that a printer is underutilized
because there are no jobs, print queues are not evenly loaded, or the server is too
busy. This value varies according to the type of printer. Consult printer documen-
tation for acceptable printer throughput values.
■ Job Errors Number of job errors. Job errors are typically caused by improper
port configuration; check port configuration for invalid settings. A printing job
instance will increment this counter only once, even if it happens multiple times.
Also, some print monitors do not support job error counters, in which case the
counter will remain at 0.
■ Jobs The number of jobs being spooled.
■ Total Jobs Printed The number of jobs sent to the printer since the spooler was
started.
■ Total Pages Printed The number of pages printed since the spooler was started.
This counter provides a close approximation of printer volume, although it may
not be perfect, depending on the type of jobs and the document properties for
those jobs.
! Exam Tip The Total Jobs Printed and Total Pages Printed counters are cumulative. They
represent the number of jobs or pages printed since the system was started or since the
spooler was restarted.
Using System Log
Using Event Viewer, you can examine the System log as a source of information
regarding spooler and printer activity. By default, the spooler registers events regarding
printer creation, deletion, and modification. You will also find events containing informa-
tion about printer traffic, hard disk space, spooler errors, and other maintenance issues.
To control or modify spooler event logging, open the Printers And Faxes folder and
choose Server Properties from the File menu. Click the Advanced tab to access the
properties as shown in Figure 8-9. From this page, you can control printer event log
entries and print job notifications. This is also the tab that enables you to move the
print spooler folder—an important task when configuring an active print server or
when an existing print spool folder’s disk volume becomes full.
8-32 Chapter 8 Printers
f08nw09
Figure 8-9 The Advanced tab of the Print Server Properties dialog box
Auditing Printer Access
Printer access, like file and folder access, can be audited. You can specify which groups
or users and which actions to audit for a particular printer. After enabling object access
auditing policy, you can view resulting audit entries using Event Viewer.
To configure auditing for a printer, open its Properties dialog box, click the Security
tab, and then click Advanced. Click the Auditing tab and add entries for specific groups
or users. For each security principal you add to the audit entry list, you can configure
auditing for successful or failed access based on the standard printer permissions,
including Print, Manage Documents, and Manage Printers.
You must then enable the Audit Object Access policy, which is located in group or
local policy under Computer ConfigurationWindows SettingsSecurity SettingsLocal
PoliciesAudit Policy. After the policy has taken effect, you can examine the Security
event log to see and analyze entries made based on printer auditing.
Tip Printer auditing creates dozens of entries for a single print job. It is, therefore, useful
when troubleshooting only very specific problems. Printer auditing should not be used to mon-
itor use or to bill for printer usage. Instead, performance counters such as Total Jobs Printed
or Total Pages Printed should be analyzed.
Lesson 3 Maintaining, Monitoring, and Troubleshooting Printers 8-33
Troubleshooting Printers
Troubleshooting is an important part of printer management. The following guidance
will help you understand, identify, and address the types of incidents and problems
that may occur in Windows Server 2003 printing.
Remember when troubleshooting that printing includes multiple components, typically:
■ The application that is attempting to print.
■ The logical printer on the computer on which the application is running.
■ The network connection between the print client and the shared logical printer on
the server.
■ The logical printer on the server—its spool, drivers, security settings, and so on.
■ The network connection between the print server and the printer.
■ The printer itself—its hardware, configuration, and status.
An efficient way to solve most problems associated with printing is to troubleshoot
each component logically and methodically.
Identify the Scope of Failure
If the user can print a job from another application on his or her computer, the error is
most likely related to the failed job’s application rather than to the computer, the net-
work, the print server, or the printer hardware. However, in some cases, using a differ-
ent driver or data type can solve an application’s print errors.
If the user cannot print to the printer from any application, identify whether the user
can print to other printers on the same print server or on other print servers. If all pos-
sibilities fail, and if other users can print to the printers on the network, the error is
likely localized to the user’s computer.
Try creating a local printer on the problematic system that points directly to the
printer’s port. In other words, bypass the printer server. If this process succeeds, there
is a problem on the print server, with communication between the user’s system and
the print server, or with the printer connections on the client.
Verify That the Print Client Can Connect to the Print Server
You can confirm connectivity between the print client and the print server by opening
the printer window from the Printers And Faxes folder on the client computer. If the
printer window opens showing any documents in the printer queue, the client is success-
fully connecting to the shared printer. An error opening the printer window would indi-
cate a potential networking, authentication, or security permissions problem. Attempt
to ping the print server’s IP address. Click Start, choose Run, and type printserver.
8-34 Chapter 8 Printers
If the window opens showing the Printers And Faxes folder and any shared folders, the
client is connecting to the server. Double-check security permissions on the logical
printer.
Verify That the Printer Is Operational
Check the printer itself and ensure that it is in the ready state (ready to print). Print a
test page from the printer console. Check the cable connecting the printer to the print
server or the network. If the printer is network attached, confirm that the network
interface card light is on, indicating network connectivity.
Verify That the Printer Can Be Accessed from the Print Server
Most printers can display their IP address on the printer console or by printing out a
configuration page. Confirm that the printer’s IP address matches the IP address of the
logical printer’s port. The port’s IP address can be seen in the printer’s Properties dialog
box on the Ports tab. Ensure that it is possible to communicate with the printer over the
network by pinging the printer’s IP address.
Verify That the Print Server’s Services Are Running
Using the Services MMC, check that services required for the printer are working prop-
erly. For example, confirm that the remote procedure call (RPC) service is running on
the print server. RPC is required for standard network connections to shared printers.
Confirm also that the print spooler service is running on the print server.
Tip The Net Stop Spooler command and Net Start Spooler command can be executed from
the command prompt to restart the print spooler service. If you restart the spooler using com-
mand-line or user interface methods, all documents in all printer queues on the server are
deleted.
You can also examine the volume on which the spool folder is stored to ensure that
there is sufficient disk space for spooling. The spool folder location can be discovered
and modified in the Server Properties dialog box, which you can access by choosing
Server Properties from the File menu of the Printers And Faxes folder.
Note By default, the spool folder points to %Systemroot%System32SpoolPrinters. For a
high-volume print server, consider moving the spool folder to a partition other than the system
or boot partition. If the partition where the spool folder resides fills to capacity with print jobs,
printing will stop and, more important, the operating system might become unstable.
Lesson 3 Maintaining, Monitoring, and Troubleshooting Printers 8-35
You should also look at the System log to see if the spooler has registered any error
events, and, in the Printers And Faxes Folder, make sure that the printer is not in
Offline mode.
Attempt to print a job from an application on the print server. If you can print to the
printer from the print server, the problem is not with the printer. If you cannot print to
the printer from an application on the print server, create a new printer directed at the
same port and attempt to print to the new printer. If that job succeeds, there is a prob-
lem in the configuration of the original logical printer. If that job is unsuccessful, there
is a problem communicating with the printer, or with the hardware itself.
Practice: Troubleshooting a Printer
In this practice, you will redirect a printer. Redirecting a printer is useful in both pro-
active and reactive troubleshooting. If you are going to take a printer offline, you can
redirect its logical printer(s) to another device that is compatible with the logical
printer’s driver. If a printer fails due to a paper jam or other error, you can also redirect
the jobs that have already been sent to, and spooled by, the logical printer, so that
users do not have to wait for the failed printer to be repaired nor resubmit their jobs.
Note that additional troubleshooting practice is included in the “Case Scenario Exer-
cise” and “Troubleshooting Lab” sections of this chapter.
Exercise 1: Redirect a Printer
If a printing device fails, you can redirect print jobs to another printer. Assume you are
printing to HPLJ8100. While your job is in the queue, a job ahead of yours encounters
a paper jam.
1. Open the Printers And Faxes folder and ensure that HPLJ8100 is offline. If it is not,
right-click the printer and choose Use Printer Offline. This will prevent generating
errors because the printer is directed to a nonexistent network port.
2. Open Notepad and enter text into the blank document.
3. Choose the Print command from the File menu and select HPLJ8100 as the printer.
4. In the Printers And Faxes folder, double-click HPLJ8100 to open its printer win-
dow. Confirm that your print job is in the queue.
5. From the Printer menu, choose Properties.
6. Click the Ports tab.
7. As it was configured in Lesson 1, the printer should use the network port
IP_10.0.0.51.
8. Select the check box next to the port IP_10.0.0.52.
8-36 Chapter 8 Printers
9. Click OK. You have now redirected the printer. All jobs in the queue, except any
in-progress jobs, will be directed to the new port. The printer attached to the new
port must be compatible with the driver used by this logical printer because jobs
have already been processed and spooled based on the existing driver.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. A Windows 2003 Server is configured as a print server. In the middle of the work-
day, the printer fuse fails and must be replaced. Users have already submitted jobs
to the printer, which uses IP address 192.168.1.81. An identical printer uses address
192.168.1.217 and is supported by other logical printers on the server. What actions
should you take so that users’ jobs can be printed without resubmission?
a. In the failed printer’s Properties dialog box, select Enable Printer Pooling.
b. At the command prompt, type Net Stop Spooler.
c. At the command prompt, type Net Start Spooler.
d. In the failed printer’s Properties dialog box, select the port 192.168.1.217.
e. In the failed printer’s Properties dialog box, click Add Port.
f. In the Printers And Faxes folder, right-click the failed printer and choose Use
Offline.
2. You’re setting up printing on a computer running Windows Server 2003. You
attach a printer, configure a logical printer, and submit documents for printing, but
the documents do not print completely and sometimes come out garbled. What is
the most likely cause of the problem?
a. There’s insufficient hard disk space for spooling.
b. You’re using an incorrect printer driver.
c. The selected port is not correct.
d. The device settings for the printer are using an incorrect font substitution.
Lesson 3 Maintaining, Monitoring, and Troubleshooting Printers 8-37
3. Which of the following options will give you the clearest picture of printer utiliza-
tion, allowing you to understand the consumption of printer toner and paper?
a. Configure auditing for a logical printer and audit for successful use of the
Print permission by the Everyone system group.
b. Export the System log to a comma-delimited text file and use Office Excel to
analyze spooler events.
c. Configure a performance log and monitor the Total Pages Printed counter for
each logical printer.
d. Configure a performance log and monitor the Jobs counter for each logical
counter.
Lesson Summary
■ The drivers for a logical printer can be updated or added using the properties of
that printer. Drivers can be added, removed, or reinstalled for all printers on a
print server using the Drivers tab of the Server Properties dialog box.
■ If a printer is to be taken offline, or has already failed, you can redirect all its jobs,
except those in progress, to another printer by adding or selecting the new
printer’s port in the properties of the original logical printer. The alternate port
must represent a printer that is compatible with the driver in use by the original
printer.
■ The Total Jobs Printed and Total Pages Printed performance counters can help you
monitor printer utilization. Bytes Printed/Sec and Errors counters will help you
monitor potential problems with a printer.
■ System events, logged by the spooler service, and security events, logged by
enabling auditing on a printer and the Audit Object Access policy, can provide
additional insight into printer functionality.
■ Because the Windows Server 2003 printer model is modular with the printer itself,
the logical printer on a print server, and the printer on a client connected to the
server’s shared printer, you can methodically troubleshoot a printer failure by
addressing each component and the links between those components.
8-38 Chapter 8 Printers
Case Scenario Exercise
Printer usage is going through the roof at Contoso, Ltd., and the chief operating officer
has asked you to begin billing for printer usage by the Marketing and Sales depart-
ments, each of which are heavy users of printers.
Think Through Your Solution
1. What is the most effective way to monitor printer usage when you are billing for
printer use?
2. How can you monitor the Total Pages Printed counter for the Sales and the Mar-
keting group separately?
Set Up the Printers
If you are unsure how to install a logical printer, refer to Lesson 1, Exercise 1. Create
two printers using the Add Printer Wizard. Use the settings described in the following
tables to complete the Add Printer Wizard and the Add Standard TCP/IP Port Wizard.
Table 8-1 Sales Printer
Description Setting
Local Or Network Printer Local printer attached to this computer.
Do not use Plug and Play to detect the printer.
Select A Printer Port Create a New Port: “Standard TCP/IP Port”
Printer Name Or IP Address 10.0.0.53
Port Name IP_10.0.0.53
Device Type Hewlett Packard Jet Direct
Manufacturer HP
Printer Model HP LaserJet 8100 Series PCL
Driver To Use Keep existing driver
Printer Name SalesPrinter
Default Printer Option No
Share Name SalesPrinter
Chapter 8 Printers 8-39
Table 8-1 Sales Printer
Description Setting
Location NYC/US/1802Americas/42/B
Comment Black and White Output Laser Printer–High Volume
Print A Test Page No
Table 8-2 Marketing Printer
Description Setting
Local Or Network Printer Local printer attached to this computer.
Do not use Plug and Play to detect the printer.
Select A Printer Port Use the following port: IP_10.0.0.53
Manufacturer HP
Printer Model HP LaserJet 8100 Series PCL
Driver To Use Keep existing driver
Printer Name MarketingPrinter
Default Printer Option No
Share Name MarketingPrinter
Location NYC/US/1802Americas/42/B
Comment Black and White Output Laser Printer–High Volume
Print A Test Page No
Create Printer Users Groups
To assign permissions to the printers, you will need security groups. (If you are unsure
how to create groups, refer to Chapter 4, “Group Accounts.”) Create two security
groups of Domain Local scope: Marketing Printer Users and Sales Printer Users.
Assign Permissions to the Printers
1. From the Printers And Faxes folder, open the Properties page of the SalesPrinter.
2. Click the Security tab.
3. Select the Everyone group and click Remove.
4. Click Add.
5. Type Sales Printer Users and click OK.
6. Assign Allow Print permission to the Sales Printer Users.
7. Repeat steps 1 through 6 to allow only the Marketing Printer Users group Print
permission to the MarketingPrinter.
8-40 Chapter 8 Printers
Configure a Performance Log
1. Open the Performance MMC from the Administrative Tools group.
2. Expand the Performance Logs And Alerts node and select Counter Logs.
3. Right-click Counter Logs and choose New Log Settings.
4. Type the log name Printer Utilization.
5. Click OK. The Printer Utilization log’s Properties dialog box appears.
6. Click Add Counters.
7. From the Performance Object drop-down list, select Print Queue.
8. In the Counters list, select Total Pages Printed.
9. In the Instances list, select SalesPrinter.
10. Click Add.
11. In the Instances list, select MarketingPrinter.
12. Click Add.
13. Click Close. The Printer Utilization dialog box indicates that the log will now track
Total Pages Printed for each print queue.
14. Select 30 minutes as the sampling interval by typing 30 in the Interval box and
selecting Minutes from the Units drop-down list.
Note Because Total Pages Printed is cumulative from the time a print server starts or from
the time the spooler service is restarted, it is unnecessary to maintain a short sampling inter-
val. You could sample at very long intervals as long as the server or the spooler service is not
restarted in the middle of those intervals.
15. Click OK to close the Printer Utilization dialog box.
16. If you have not configured another performance log on this computer, you will be
prompted to create the “C:Perflogs” folder, in which logs are saved by default.
Click Yes to confirm.
17. In the Performance Logs detail pane, the Printer Utilization log is green, indicating
that it is running.
18. Stop the log by right-clicking it and choosing Stop.
Once a performance log has been created, you can examine the log in System Monitor.
Click the View Log Data button on the System Monitor toolbar and you can add the
performance log you generated. This particular log will not be valid for two reasons.
First, two samples must be saved in a performance log for System Monitor to make use
Chapter 8 Printers 8-41
of the log’s data. Unless you wait 60 minutes, or decrease the sampling interval, you
will not be able to load the log. Second, Total Pages Printed will not increment because
the printer does not exist, so pages do not print.
Troubleshooting Lab
The Marketing department is complaining about print quality on the MarketingPrinter.
When they print from their Windows XP desktops using Microsoft Office applications,
documents print perfectly. But when they print from Adobe applications, the docu-
ments do not always reflect the desired results. The Sales department, which uses a
mix of Windows 2000 and Windows XP workstations, Microsoft Office, and Microsoft
Customer Relationship Management (CRM), does not report any problems with the
SalesPrinter.
As you consider the problem, it occurs to you that some applications produce different
results depending on whether the printer is using PostScript or a non-PostScript driver.
Analyze the Solution
1. Where should you consider adding PostScript drivers? (Choose all that apply.)
a. The Server Properties dialog box of the print server.
b. The printer Properties dialog box of the MarketingPrinter.
c. The printer Properties dialog box of the SalesPrinter.
d. The printers installed on the desktops of each marketing department user.
Change the Printer Driver
1. Open the Printers And Faxes folder.
2. Open the Properties dialog box of the MarketingPrinter.
3. Click the Advanced tab.
4. Click New Driver. The Add Printer Driver Wizard appears.
5. Click Next.
6. Select the Manufacturer: HP.
7. Select the Printer: HP LaserJet 8100 Series PS.
8. Click Next, and then click Finish.
9. Notice that the PostScript driver is now the default driver.
10. Click the Driver drop-down list and you will find that the former, PCL driver is still
listed. If changing the driver to PostScript does not solve the problem, you can
easily switch back to the PCL driver.
8-42 Chapter 8 Printers
Chapter Summary
■ Printer implementation in Windows Server 2003 is modular, consisting of the
printer hardware itself; a print server with a shared, logical printer representing the
physical printer by indicating that printer’s local or network attached port and a
logical printer on a client that connects to the shared printer on the print server.
Understanding the structure and the terminology is critical because documentation
and the user interface is inconsistent and sometimes misleading.
■ Shared printers are published to Active Directory, which enables users to easily
search for printers based on location or other printer properties.
■ When a user finds a printer in the Find Printers dialog box, double-clicking the
printer installs the printer to the user’s computer. Computers running the Windows
operating system download the driver from the server automatically if an admin-
istrator has loaded all appropriate drivers in the shared printer.
■ A single logical printer can direct jobs to more than one port, creating a printer
pool.
■ A single physical printer (port) can be served by multiple logical printers, each of
which can configure unique properties, drivers, settings, permissions, or monitor-
ing characteristics. Such a structure enables you to leverage printer hardware with
incredible flexibility.
■ Printers can be managed, installed, and printed to via the Web if Internet Printing
has been installed and enabled on the print server.
■ Event logs and performance counters allow you to monitor printers for potential
signals of trouble, and for utilization statistics.
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice and review the “Further Readings” sections in Part 2 for pointers to more informa-
tion about topics covered by the exam objectives.
Key Points
■ The important distinction between a printer—the hardware, also known as the
print device or physical printer—and a logical printer—also known as a printer.
■ The difference between a printer in the Printers And Faxes folder and an Active
Directory printer object.
Chapter 8 Printers 8-43
■ How to manage printer ports. Understand the difference between, and how to
configure, printer pooling and printer redirection.
■ How to configure multiple logical printers to a single physical printer. Be familiar
with the variety of properties that can be configured uniquely in each logical
printer, including security permissions.
■ How to monitor printer utilization and troubleshoot printer problems.
Key Terms
logical printer Represents a physical printer by serving the printer’s port. The logi-
cal printer includes the queue, the drivers, settings, permissions, and printing
defaults that manage the creation of a print job for a printer.
network printer In the context of the Microsoft Windows user interface, a logical
printer that is a client of—that is connected to—a shared logical printer on another
computer. Not to be confused with a network-attached printer, which is served by
a local printer on the print server.
8-44 Chapter 8 Printers
Questions and Answers
Page Lesson 1 Review
8-13
1. You’re setting up a printer on your computer running Windows Server 2003. The
computer will be used as a print server on your network. You plan to use a print
device that’s currently connected to the network as a stand-alone print device.
Which type of printer should you add to the print server? (Choose all that apply.)
a. Network
b. Shared
c. Local
d. Remote
The correct answers are b and c. A local printer is one that supports a printer directly attached
to the computer or a stand-alone network-attached printer. For the computer to act as a print
server, the printer must be shared.
2. You’re installing a printer on a client computer. The printer will connect to a logical
printer installed on a print server running Windows Server 2003. What type or types
of information could you provide to set up the printer? (Choose all that apply.)
a. TCP/IP printer port
b. Model of the print device
c. URL to printer on print server
d. UNC path to print share
e. Printer driver
The correct answers are c and d. When you add a network printer, you can search for the printer
in Active Directory, enter the UNC or URL to the printer, or browse for the printer. When you con-
nect to the printer, the model is specified by the shared logical printer, and the driver is down-
loaded automatically.
3. One of your printers is not working properly, and you want to prevent users from
sending print jobs to the logical printer serving that device. What should you do?
a. Stop sharing the printer
b. Remove the printer from Active Directory
c. Change the printer port
d. Rename the share
The correct answer is a. If you stop sharing the printer, users will no longer be able to use the
print device. You can use the Sharing tab in the printer’s Properties dialog box to stop sharing
the printer.
Questions and Answers 8-45
4. You’re administering a computer running Windows Server 2003 configured as a
print server. You want to perform maintenance on a print device connected to the
print server. There are several documents in the print queue. You want to prevent
the documents from being printed to the printer, but you don’t want users to have
to resubmit the documents to the printer. What is the best way to do this?
a. Open the printer’s Properties dialog box, select the Sharing tab, and then
select the Do Not Share This Printer option.
b. Open the printer’s Properties dialog box and select a port that is not associ-
ated with a print device.
c. Open the printer’s queue window, select the first document, and then select
Pause from the Document window. Repeat the process for each document.
d. Open the printer’s queue window and select the Pause Printing option from
the Printer menu.
The correct answer is d. When you select the Pause Printing option, the documents will remain
in the print queue until you resume printing. This option applies to all documents in the queue.
Page Lesson 2 Review
8-26
1. You’re administering a computer running Windows Server 2003 configured as a
print server. Users in the Marketing group complain that they cannot print docu-
ments using a printer on the server. You view the permissions in the printer’s
properties. The Marketing group is allowed Manage Documents permission. Why
can’t the users print to the printer?
a. The Everyone group must be granted the Manage Documents permission.
b. The Administrators group must be granted the Manage Printers permission.
c. The Marketing group must be granted the Print permission.
d. The Marketing group must be granted the Manage Printers permission.
The correct answer is c. The Print permission allows users to send documents to the printer.
2. You’re setting up a printer pool on a computer running Windows Server 2003. The
printer pool contains three print devices, all identical. You open the properties for
the printer and select the Enable Printer Pooling option on the Ports tab. What
must you do next?
a. Configure the LPT1 port to support three printers.
b. Select or create the ports mapped to the three printers.
c. On the Device Settings tab, configure the installable options to support two
additional print devices.
8-46 Chapter 8 Printers
d. On the Advanced tab, configure the priority for each print device so that
printing is distributed among the three print devices.
The correct answer is b. Printer pooling is configured from the Ports tab of the printer’s proper-
ties dialog box. To set up printer pooling, select the Enable Printer Pooling check box, and then
select or create the ports corresponding to printers that will be part of the pool.
3. You’re the administrator of the computer running Windows Server 2003 that is
configured as a print server, and you want to administer the print services from a
Web browser on a client computer. The server is named Mktg1, but you don’t
know the share name of the printer. Which URL should you use to connect to the
printer?
a. http://mktg1/printers
b. http://printers/mktg1
c. http://windows/web/printers
d. http://windows/mktg1
The correct answer is a. To gain access to all printers on a print server by using a Web browser,
open the Web browser and connect to http://printserver/printers to view a list of printers. From
there you can access a specific printer. If you want to gain access to a specific printer without
first viewing a list of all printers, use http://printserver/printersharename.
4. You want to configure a logical printer so that large, low-priority documents will
be printed overnight. Which of the following options will you configure in the
printer’s Properties dialog box?
a. Priority
b. Available From / To
c. Start Printing After Last Page Is Spooled
d. Print Directly To The Printer
e. Keep Printed Documents
The correct answer is b. The printer schedule allows a printer to receive jobs and hold them
until the printer is available. The default setting, Always Available, sends a job to the printer
when it is free. When you configure Available From / To, you specify the hours during which print
jobs can be sent to the printer.
Page Lesson 3 Review
8-36
1. A Windows 2003 Server is configured as a print server. In the middle of the workday,
the printer fuse fails and must be replaced. Users have already submitted jobs to
the printer, which uses IP address 192.168.1.81. An identical printer uses address
192.168.1.217 and is supported by other logical printers on the server. What
actions should you take so that users’ jobs can be printed without resubmission?
Questions and Answers 8-47
a. In the failed printer’s Properties dialog box, select Enable Printer Pooling.
b. At the command prompt, type Net Stop Spooler.
c. At the command prompt, type Net Start Spooler.
d. In the failed printer’s Properties dialog box, select the port 192.168.1.217.
e. In the failed printer’s Properties dialog box, click Add Port.
f. In the Printers And Faxes folder, right-click the failed printer and choose Use
Offline.
The correct answer is d. Because the other printer is already supported by logical printers on
the server, there is no need to add a new port. Simply select the existing port.
2. You’re setting up printing on a computer running Windows Server 2003. You
attach a printer, configure a logical printer, and submit documents for printing, but
the documents do not print completely and sometimes come out garbled. What is
the most likely cause of the problem?
a. There’s insufficient hard disk space for spooling.
b. You’re using an incorrect printer driver.
c. The selected port is not correct.
d. The device settings for the printer are using an incorrect font substitution.
The correct answer is b. An incorrect printer driver can yield documents that are garbled or
incompletely printed. Install the correct printer driver.
3. Which of the following options will give you the clearest picture of printer utiliza-
tion, allowing you to understand the consumption of printer toner and paper?
a. Configure auditing for a logical printer and audit for successful use of the
Print permission by the Everyone system group.
b. Export the System log to a comma-delimited text file and use Office Excel to
analyze spooler events.
c. Configure a performance log and monitor the Total Pages Printed counter for
each logical printer.
d. Configure a performance log and monitor the Jobs counter for each logical
counter.
The correct answer is c. The Total Pages Printed counter gives the clearest picture of printer
toner and paper consumption, because such consumption is most closely associated with the
number of pages, not the number of jobs, printed. The spooler and object access events logged
in the System and Security logs will be cumbersome at best and, most likely, completely
unhelpful in this task.
8-48 Chapter 8 Printers
Page Case Scenario
8-38
1. What is the most effective way to monitor printer usage when you are billing for
printer use?
Windows Server 2003 adds a Printer Queue performance object, which allows you to monitor
printer usage for each logical printer defined on the server. The Total Pages Printed counter pro-
vides important information about printer use. It is not perfect because certain document prop-
erties and special printing features (such as a booklet printing or multiple-pages-per-page
setting) will affect the printer hardware directly without the spool’s being able to track their
effects. However, it is the best approximation available. By configuring a performance log and
capturing the counter, you can later analyze the log and bill for usage.
2. How can you monitor the Total Pages Printed counter for the Sales and the Mar-
keting group separately?
The Total Pages Printed counter captures performance data for a single, logical printer. To mon-
itor the two groups separately, you must configure two separate logical printers. Each printer
will address the same port—the same physical printer—but will allow only users from one
group to print.
Page Troubleshooting Lab
8-41
1. Where should you consider adding PostScript drivers? (Choose all that apply.)
The correct answer is b. Adding the PostScript driver for the MarketingPrinter will cause that
printer to use the PostScript driver, without affecting the SalesPrinter. Although each client
printer will require the PostScript driver as well, you do not need to add the driver manually.
Windows 2000 and Windows XP clients will download the new driver automatically.
9 Maintaining the
Operating System
Exam Objectives in this Chapter:
■ Manage software update infrastructure
■ Manage software site licensing
Why This Chapter Matters
On June 14, 2005, Microsoft released 10 security bulletins as part of its monthly
update release. Three of these were rated “Critical,” and analysts expected that
code exploiting the vulnerabilities would hit the streets within one week. In late
2005 a vulnerability in the Windows Metafile Format (WMF) was announced and
exploits were released before Microsoft was able to fully regression test an update
against the wide variety of operating systems and applications affected by the
problem. No longer is it acceptable to wait for Service Pack 3 before deploying
Service Pack 2, as was the practice in many organizations until recently. It is now
understood that an enterprise network that is not updated with code fixes is sim-
ply not secure. Software updates now became part and parcel of the security
strategies of an organization.
In this chapter, you will learn how to apply Microsoft Windows Server Update
Services (WSUS) to keep servers and desktops up to date. WSUS allows an
enterprise to centralize the downloading, testing, approval, and distribution of
Windows-critical updates and Microsoft Windows security rollups. This service
will play a significant role in maintaining the integrity of your enterprise net-
work. You will also learn how to deploy Service Packs to one or more
machines. Finally, you will examine the components of site software licensing.
Lessons in this Chapter:
■ Lesson 1: Windows Server Update Services . . . . . . . . . . . . . . . . . . . . . . . . . .9-3
■ Lesson 2: Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9-27
■ Lesson 3: Administering Software Licenses . . . . . . . . . . . . . . . . . . . . . . . . .9-30
9-1
9-2 Chapter 9 Maintaining the Operating System
Before You Begin
This chapter presents the skills and concepts related to administering Windows Server
Update Services, service pack deployment, and licensing. Although it is advantageous
to have two computers (a computer running Microsoft Windows Server 2003 and a cli-
ent running Windows XP or Windows 2000 Professional), you can complete the exer-
cises in this chapter with only one computer. Prepare the following:
■ Windows Server 2003 (Standard Edition or Enterprise Edition) installed as Server01
and configured as a domain controller in the domain contoso.com
■ 10 GB of free disk space to support the installation of WSUS
❑ A first-level organizational unit (OU) named Desktops
❑ Networking configured to provide Internet connectivity
Lesson 1 Windows Server Update Services 9-3
Lesson 1: Windows Server Update Services
To maintain a secure computing environment, it is critical to keep systems up to date
with security patches. Since 1998, Microsoft has provided Windows Update as a Web-
based source of information and downloads. With Windows XP and Windows 2000
Service Pack 3, Microsoft added Automatic Updates, through which a system automat-
ically connects to Windows Update and downloads any new, applicable patches or
“hotfixes.” Although the Windows Update servers and Automatic Updates client
achieve the goal of keeping systems current, many administrators are uncomfortable
with either computers or users deciding which patches should be installed because a
patch might interfere with the functioning of a business-critical application.
Microsoft’s first effort to create a centralized technology for managing software updates
was Software Update Services (SUS). SUS addressed the demands of Microsoft custom-
ers for easier deployment of security updates but lacked key features, including the
capability to update applications such as Microsoft Office and to easily report the status
of patched systems on the network.
In mid-2005, Microsoft released Windows Server Update Services (WSUS), a significant
enhancement of the technologies that had been introduced as SUS. Like SUS, WSUS is
a client-server application that enables a server on your intranet to act as a point of
management for the distribution of updates. You can approve updates for WSUS cli-
ents, which then download and install the approved updates automatically without
requiring local administrator account credentials or user interaction.
In this lesson, you will learn to install and administer WSUS on a computer running
Windows Server 2003. The following lesson will guide you through the steps required
to configure systems on your network to receive updates from WSUS.
! Exam Tip As of the date of writing, the 70-290 certification exam objectives relate only to
SUS. Although it would be expected that Microsoft will update the exam, it is important that
you study and thoroughly understand SUS prior to taking the 70-290 exam. We have included
the previous version of this chapter on the CD-ROM accompanying this book.
After this lesson, you will be able to
■ Install WSUS on a computer running Windows Server 2003
■ Configure WSUS
■ Deploy and configure Automatic Updates for WSUS clients
Estimated lesson time: 30 minutes
9-4 Chapter 9 Maintaining the Operating System
Understanding WSUS
Since 1998, Microsoft Windows operating systems have supported Windows Update,
a globally distributed source of updates. Windows Update servers interact with cli-
ent-side software to identify critical updates, security rollups, and enhancements that
are appropriate to the client platform and then to download approved patches. Sev-
eral years later, Microsoft introduced Automatic Updates, a client-side component
that enabled users to schedule update detection, download, and installation and
thereby removed most of the risk presented by users who never visited the Windows
Update site.
But Automatic Updates and the server-side Windows Update still had two major faults.
First, they provided updates to only the Windows operating system. Users had to visit
the Office Updates site to receive patches for Microsoft Office applications, and those
patches could not be scheduled or installed without user interaction. There was no
mechanism for automatically detecting updates to any other major Microsoft platform,
server, or application. The second weakness of Automatic Updates and Windows
Updates was that there was not a way to control exactly which updates were applied,
leading to a risk that an update would “break” another system component or applica-
tion. Administrators wanted a more centralized solution that would assure more direct
control over updates that are installed on their clients.
These two key customer demands were addressed during the first half of the
decade, first by SUS, which enabled enterprises to centralize and manage the
approval and distribution of updates; second, by the new Microsoft Update service
(http://update.microsoft.com/microsoftupdate), a revision and superset of Windows
Update that provides updates to a variety of platforms, servers, and applications; and
third, by WSUS, which empowers you with greater levels of control and reporting and
provides a foundation for an update framework on which Microsoft and its customers
can build new functionality. For example, Microsoft’s new corporate antispyware plat-
form will deliver updates to spyware definitions through WSUS.
It is easiest to understand WSUS by focusing on its components:
■ Updates Updates are revisions to the code of a platform, server, or application.
Microsoft categorizes updates as security updates, nonsecurity-related patches
simply called “updates,” enhancements to functionality called “feature packs,”
fixes to highly specific issues called “hotfixes,” and collections of updates called
“cumulative updates,” “rollups,” or “service packs.” The lines between these cate-
gories are sometimes blurry; however, two points are important to highlight. First,
security updates warrant your immediate and focused attention with the goal of
evaluating updates for deployment to appropriate systems as quickly as reason-
ably possible. To facilitate your analysis, Microsoft rates security updates as “Crit-
Lesson 1 Windows Server Update Services 9-5
ical,” “Important,” “Moderate,” and “Low.” Second, hotfixes, which are highly
specific and have not been regression tested, should be applied only to systems
that are encountering the issue addressed by the hotfix. Other categories of
updates fall between these two extremes.
Updates consist of two elements: the update file itself, which is downloaded and
installed by the client, and information about the update, such as its release date,
the technologies to which the update applies, and whether the update supersedes
a previous update. The information about the update is called metadata.
■ The Windows Update and Microsoft Update services These globally distrib-
uted services provide updates to clients. Users visiting these sites download an
ActiveX control that interacts with the local system to identify, download, and
install required updates.
■ Automatic Updates The Automatic Updates client is responsible for download-
ing updates from Windows Update, Microsoft Update, or a WSUS server and
installing those updates based on a schedule or an administrator’s initiation.
■ WSUS, running on an Internet Information Services (IIS) server with con-
nectivity to a local or remote database WSUS is responsible for synchronizing
information about available updates from Microsoft Update and, typically, down-
loading approved updates. WSUS thereby centralizes the distribution of updates,
so Automatic Updates clients can be directed to use an intranet update infrastruc-
ture rather than Microsoft’s online update services. You can distribute WSUS serv-
ers throughout an enterprise to provide the most effective delivery of updates to
systems in the enterprise, and you can configure each WSUS server to download
from either Microsoft’s update services or another internal WSUS server. The
WSUS database, in which information about updates and clients is stored, can be
either Microsoft SQL Server 2000 or later or SQL Server 2000 Desktop Engine
(Windows) (WMSDE). The choice of a database engine will be discussed later in
the lesson.
■ The WSUS administration Web site All WSUS administration is Web-based.
After installing and configuring WSUS, regular administration consists of ensuring
that the WSUS server is synchronizing successfully, approving updates for distri-
bution to network clients, and reporting the status of the update infrastructure.
The Uniform Resource Locator (URL) of a WSUS server’s administrative Web site
is, by default, http://servername/WSUSAdmin.
■ Group Policy settings Automatic Updates clients can be configured to synchro-
nize from a WSUS server rather than the Windows Update servers by modifying
the clients’ registries or, more efficiently, by configuring Windows Update policies
in a Group Policy Object (GPO). The configuration of the Automatic Updates cli-
ent will be addressed in the next lesson.
9-6 Chapter 9 Maintaining the Operating System
An update infrastructure based upon these components functions using the following
important processes:
■ Subscription to updates A WSUS administrator subscribes to updates based on
category (for example, security updates and service packs), technology (for exam-
ple, Windows Server 2003, Windows XP, and Microsoft Office 2003), and lan-
guage. Subscriptions can be modified at any time.
■ Synchronization The WSUS server downloads metadata about updates only
for subscribed content, technologies, and languages during a process called syn−
chronization. If the server is configured to download update files themselves, as
well as their metadata, the files are also downloaded during synchronization. Syn-
chronization can be scheduled or initiated manually.
■ Approval Updates can be approved by a WSUS administrator or can be autoap-
proved based on rules configured on the server. An update can be approved for
one of several actions: detection, installation, or removal. These actions will be
addressed later in this lesson.
■ Targeting It is common for administrators to apply certain updates to a subset
of systems, based on the role, location, function, or priority of the system. WSUS,
unlike SUS, provides for targeting updates to specified groups of computers.
■ Client redirection Through registry entries or Group Policy settings, clients can
be directed to receive updates from a WSUS server rather than from Microsoft
Update or Windows Update. It’s very important to remember that all systems
should be considered update clients. Servers and domain controllers require con-
stant updating as much as workstations.
■ Detection The Automatic Updates client receives metadata about an update and
uses that metadata to determine whether the update is applicable.
■ Download If a system identifies an applicable update, the update is down-
loaded to the local hard drive. Updates are downloaded using Background Intel-
ligent Transfer Service (BITS) 2.0, which makes effective use of network
bandwidth by using only available bandwidth for file transfer.
■ Installation The update file is applied using elevated credentials, so no user
interaction is required and administrative credentials are not necessary. Because
Microsoft’s updates are digitally signed and verified by both the WSUS server and
the client, security exposure to a malformed update is minuscule.
■ Reporting Clients report the status of updates to the WSUS server. Administra-
tors can produce reports based on the status of computers or updates using the
WSUS administrative Web site.
■ Rebooting Some updates require a system restart; however, Microsoft is improv-
ing the functionality of updates so that patches to drivers, dynamic-link libraries
Lesson 1 Windows Server Update Services 9-7
(DLLs), application programming interfaces (APIs), or any nonkernel-level com-
ponent will not require a reboot—a feature called “hot patching” that was intro-
duced in Service Pack 1.
Now that you understand the components and processes involved with getting an
update from Microsoft to the client, we will spend the rest of this lesson focused on the
server-side installation and configuration of WSUS. Keep in mind that you will use
Group Policy to “point” clients to your WSUS server for updates. We will discuss the
details of that task later in this lesson. Each of the concepts and procedures outlined in
this chapter is explored in depth in the WSUS documentation, which is available along
with the WSUS installation files, from http://www.microsoft.com/wsus.
Designing a WSUS Infrastructure
The WSUS documentation details the considerations related to the design of an update
infrastructure. Key concepts include the selection and placement of WSUS servers and
the relationships between WSUS servers and the Microsoft Update service.
Because the goal of WSUS is to deliver updates to clients as efficiently as possible,
you should place WSUS servers as close to systems as you can. Ideally, you do not
want clients to have to pull updates from a WSUS server on the other side of a slow
or expensive wide area network (WAN) link. WSUS is not a particularly performance-
intensive service, and you can design your update infrastructure to synchronize
updates from Microsoft and deliver updates to clients during nonbusiness hours.
Therefore, WSUS can be co-located on servers that perform other duties during busi-
ness hours. Consider that each WSUS requires IIS and a database instance: SQL
Server 2000 or later or WMSDE.
Planning There is another design driver that is particularly salient in larger organizations:
WSUS can be administered only by users who are local administrators on the WSUS server.
There is no other way to delegate administration of WSUS. Therefore, you should co-locate
WSUS only with other services and resources for which the same users are administrators.
This security and delegation characteristic also suggests that, where possible, WSUS should
be installed on a member server rather than on a domain controller. Otherwise, to administer
WSUS, a user must be logged on with credentials that have administrative privileges for the
entire domain.
Using SUS, a server could have only one list of approved updates. Therefore, if you
wanted to deliver different sets of updates to different clients—for example, one col-
lection of updates to servers and a different collection of updates to workstations—you
needed to point each group of computers to a separately administered SUS server.
9-8 Chapter 9 Maintaining the Operating System
WSUS introduces the concept of client groups, which allows you to create virtual col-
lections of systems, each of which can receive a unique set of updates on a unique
release schedule. For example, you might create a group called “Test Systems” for
which you approve updates for installation soon after Microsoft releases the updates. If
these test systems prove that the updates are appropriate for your organization, you
can then approve the updates for installation on other computers. Using client groups,
you can support many update configurations using a single WSUS server. Therefore,
with WSUS, you no are no longer forced into a multiple-server model solely to support
multiple combinations of updates. The purpose of using multiple WSUS servers is
solely to deliver the updates with minimal network cost to update clients.
After selecting the servers on which WSUS will be hosted, you must determine how
updates will flow from Microsoft Update to each server. One or more servers can syn-
chronize their updates directly from Microsoft Update. Each such server can be inde-
pendently administered, allowing you to have a completely unique collection of
approved updates on each server. In a highly decentralized update infrastructure, this
might be desirable.
A more typical configuration involves one “upstream” WSUS server that synchronizes
from Microsoft Update, with other “downstream” servers synchronizing from that
server. You can, in fact, have several levels of downstream servers, each pointing to an
upstream server as its source for updates. However, update service models more than
three levels deep are not recommended.
A hierarchical configuration can be structured in two ways: as a replica or as a decen-
tralized model. In a replica model, the downstream WSUS server mirrors exactly the
updates and approvals of its upstream server. This highly centralized administrative
model ensures consistently applied updates. Clients pointed to either of the WSUS
servers will receive the same updates. The only differences between two replicas are
the set of computers that have been pointed to each server and, therefore, the specific
computers that belong to client computer groups on each server.
In a decentralized model, each downstream server synchronizes updates from an
upstream server, but update approvals are managed on each downstream server indi-
vidually. Downstream servers will synchronize an update from its upstream server only
if the update has been approved on the upstream server. Therefore, the upstream
server, rather than Microsoft Update, acts as the authoritative source of available
updates. Administrators of downstream servers can approve any subset of those
updates. Such a structure allows administrators of upstream servers to prevent updates
that might cause problems from propagating to downstream servers and clients.
Lesson 1 Windows Server Update Services 9-9
Installing WSUS on a Windows Server 2003 Computer
An update infrastructure has both client and server components. The client compo-
nent, Automatic Updates, will be discussed later in this lesson. The server component,
WSUS, runs on Windows 2000 Server (Service Pack 4) or Windows Server 2003 on a
32-bit system. WSUS cannot be installed on 64-bit Windows Server 2003 platforms.
This is an important exception. Windows Server 2003 64-bit systems can be clients of
WSUS: they can receive updates from WSUS but cannot actually provide update ser-
vices to other clients.
WSUS is not included with the Windows Server 2003 media, but it is a free download
from the Microsoft WSUS Web site at http://www.microsoft.com/wsus. WSUS includes
the SQL Server 2000 Desktop Engine (Windows) (WMSDE) database, which is required
to support WSUS, unless you choose to use an instance of SQL Server 2000 or later.
WSUS requires BITS 2.0 or later, which is integrated into SP1 and can be downloaded
separately from the WSUS site for earlier versions of Windows Server 2003 or Windows
2000.
Note The WSUS download is not available in every localized language. However, this down-
load determines the installation and administrative interface for the server component only.
Patches for all locales can be made available through WSUS.
Prior to installing WSUS, you must install IIS, which, as you learned in Chapter 6, is not
installed by default on Windows Server 2003. For information about how to install IIS,
see Chapter 6. You must also install BITS 2.0 or later if the server is not running SP1.
Then run the WSUS installation package.
After you agree to the license agreement, the Setup Wizard will prompt you for the fol-
lowing information:
■ Select Update Source Each update consists of two components: the patch file
itself and metadata that specifies the platforms and languages to which the patch
applies. WSUS always downloads metadata, which you will use to approve
updates and which clients on your intranet will retrieve from WSUS. You can
choose whether to download the update installation files themselves and, if so,
where to save the updates.
Tip If you elect to maintain the update files on Microsoft Windows Update servers, Auto-
matic Updates clients will connect to your WSUS server to obtain the list of approved updates
and will then connect to Microsoft Update servers to download the files. You can thereby
maintain control of client updating and take advantage of the globally dispersed hosting pro-
vided by Microsoft.
9-10 Chapter 9 Maintaining the Operating System
If you select the Store Updates Locally check box, the Setup Wizard defaults to the
drive with the most free space and will create a folder called WSUS on that drive.
You can save the files to any NT file system (NTFS) partition; Microsoft suggests a
minimum of 6 gigabytes (GB) of free space in the WSUS documentation—how-
ever, significantly more is recommended: at least 40 GB.
■ Database Options WSUS requires an instance of a database within which
update metadata and client reports will be stored. On Windows Server 2003,
WSUS will default to an installation of WMSDE on the disk with the greatest
amount of free space. However, you can also select a local installation of SQL
Server as the database for WSUS.
Note You can install WSUS and SQL Server on separate servers. The WSUS deployment
guide, which you can download from Microsoft’s WSUS Web site, contains step-by-step
instructions. However, more than one WSUS server cannot “share” a SQL server. You must
have one SQL server or WMSDE server for each WSUS server.
■ Web Site Selection WSUS installs to the default Web site, port 80, of an IIS
server. If the server hosts an existing Web site on port 80, you may configure
WSUS to install to an alternate site, which will be assigned to port 8530. You can
change this port after setup has completed.
■ Mirror Update Settings This page of the Microsoft Windows Server Update
Services Setup Wizard, shown in Figure 9-1, allows you to create a replica WSUS
server, which replicates updates, approvals, group definitions, and configuration
settings from another WSUS server. It is possible to configure a replica only at this
point in the setup process: select the This Server Should Inherit Settings From The
Following Server check box and enter the Server Name and TCP Port. After instal-
lation is complete, you cannot configure an existing stand-alone server as a rep-
lica, nor can you configure a replica to act as a standalone server. This page of the
Setup Wizard is misleading for many administrators who attempt to create a down-
stream server during setup. Downstream servers, which download update files
from an upstream server but maintain independent approvals, group definitions,
and many settings, are configured after setup.
When installation is complete, you are ready to configure and administer WSUS. In
fact, the last page of the Microsoft Windows Server Update Services Setup Wizard,
by default, launches the Web administration page for WSUS.
Lesson 1 Windows Server Update Services 9-11
f09nw01
Figure 9-1 The Mirror Update Settings page of the WSUS Setup Wizard
Configuring and Administering WSUS
You will perform five categories of administrative tasks related to supporting WSUS
servers: configuring settings, synchronizing content, approving updates, managing
computer groups, and reporting update status. You perform these tasks using the
WSUS Administration Web site, shown in Figure 9-2, which you can access by navigat-
ing to http://WSUS_servername/WSUSAdmin with Internet Explorer 5.5 or later. The
administration of WSUS is entirely Web-based. The home page of the WSUS adminis-
tration site contains a useful summary of server and update status, along with a To-Do
list of issues requiring administrative attention.
Note You might need to add your WSUS server to the list of sites in the Trusted Sites zone.
Open Internet Explorer and choose Internet Options from the Tools menu. Click the Security
tab. Select Trusted Sites and click Sites. Clear the option to require Hypertext Transfer Proto-
col Secure (HTTPS), and then add your server. After adding the server, you may reselect the
option to require HTTPS.
9-12 Chapter 9 Maintaining the Operating System
f09nw02
Figure 9-2 The WSUS Administration Web site
Configuring Windows Server Update Services Settings
Although you can specify some of the configuration of WSUS during a custom installa-
tion, all WSUS settings are accessible from the WSUS administration Web page. From
the Windows Server Update Services administration page, click Options in the top nav-
igation bar. Then click the Synchronization Options link.
The settings on the Synchronization Options page are easiest to understand if we cat-
egorize the issues you will be addressing through your choice of configuration.
■ From where does this WSUS server synchronize? You use the Update
Source frame to configure the server as a true stand-alone server that synchronizes
from Microsoft Update or to synchronize from an upstream server. If you select
Synchronize From An Upstream Windows Server Update Services Server, you cre-
ate a hierarchical model. The upstream server manages approvals at a “global”
level. A downstream server will synchronize only those updates that have been
approved upstream. An administrator of the downstream server can then approve
one or more of those updates. Remember, this model differs from a replica model
in that a replica synchronizes all approvals and settings from its source. Approvals
and many settings on a downstream server are independently managed. A replica
must be created during installation of WSUS.
Lesson 1 Windows Server Update Services 9-13
■ What content do you wish to synchronize? Use the Products, Classifications,
and Languages buttons to select the types of content that will be synchronized to
the WSUS server. As of the date of publication, WSUS can synchronize updates for
Windows 2000 and later operating systems, Microsoft Office XP and later,
Microsoft SQL Server, and Microsoft Exchange Server. There are a variety of clas-
sifications, including critical updates, security updates, service packs, drivers, and
feature packs. Note that you will not see all available products or classifications
until after the server synchronizes with Microsoft Updates for the first time. By
default, WSUS downloads critical and security updates in every language. Use the
language button to select the languages for which updates will be downloaded. In
an environment in which localized versions of Windows have been installed,
select all appropriate languages. If you use the Multilanguage User Interface,
select English. If you use only one language, select that language or the option
Download Only Those Updates That Match The Language Of This Server.
■ What will be downloaded during synchronization? WSUS downloads
update metadata for all updates available on its update source. The actual files
with which the updates are installed may be downloaded to the server as well, or
the WSUS server may be configured to act only as the list of approved updates, at
which point clients download the update files from the Microsoft Web site. In most
enterprises, updates are stored locally, as shown in Figure 9-3.
If updates will be stored locally, you may choose to defer downloading the update
installation files until after the update has been approved. This conserves band-
width by skipping the download of nonapproved updates. Additionally, you may
select to download express installation files. Whereas a standard installation of an
update completely replaces the file, express installation files apply the bit-level
difference between the existing version of a file and its updated version. This type
of updating is called “delta compression” because only the change, or delta, is
applied. Therefore, the amount of data transferred from the WSUS server to the cli-
ent is reduced significantly. However, to account for every possible variation
between original versions of a file and the updated version, the WSUS server must
download and store every possible delta. So a somewhat larger file is transferred
from Microsoft to the WSUS server to preserve the bandwidth between the server
and the end system.
9-14 Chapter 9 Maintaining the Operating System
f09nw03
Figure 9-3 Update files storage options
■ Proxy server configuration If the server running WSUS connects to Windows
Update using a proxy server, you must configure proxy settings.
Tip Although you can configure the WSUS server to access Windows Update through a
proxy server that requires authentication, the Automatic Updates client cannot access
Windows Update if the proxy server requires authentication. If your proxy server requires
authentication, you can configure WSUS to authenticate, and you must store all update
content—files as well as metadata—locally.
Synchronizing Content
The Schedule frame of the Synchronization Options page exposes the settings to
schedule synchronization. For the most hands-free operation of WSUS, schedule a
daily synchronization during nonbusiness hours. You can also trigger synchronization
manually by clicking the Synchronize Now link in the left navigation bar. During syn-
chronization, you cannot change other server settings. The metadata for available
updates is downloaded from the update source: either Microsoft Update or an
upstream WSUS server. If specified in the Update Storage options, the update installa-
tion files or express installation files are downloaded as well. When deferred download
is selected, those files are synchronized only after they are approved for installation on
one or more clients. Synchronization progress is indicated in the left frame of the Syn-
chronization Options page and on the WSUS home page.
Lesson 1 Windows Server Update Services 9-15
Approving Updates
Update management includes identifying, evaluating, and approving updates. You per-
form each of these tasks using the Updates page of the WSUS administration site. From
the WSUS home page, click the Updates link in the top navigation bar. The Updates
page, shown in Figure 9-4, appears.
f09nw04
Figure 9-4 Updates administration page
The list view in the top frame of the Updates page displays a subset of update meta-
data, including the update’s title, classification, release date, and approval status. To
locate a set of updates, use the view frame in the left task pane, with which you can fil-
ter updates by product type or name, classification, update type, approval status, syn-
chronization date, or keywords, the last of which will allow you to search by
knowledge base or security bulletin identifier or any word contained in the name or
description of the update. When you select an update in the list, the details about the
update appear in the details frame at the bottom of the page. Update metadata is dis-
played in three tabs: Details, Status, and Revisions.
To approve one or more updates for distribution to client computers, select the
update(s) in the list, and then click the Change Approval link in the left navigation
pane. The Approve Updates dialog box shown in Figure 9-5 appears. Using the drop-
down list, you can configure one of four approval options:
9-16 Chapter 9 Maintaining the Operating System
f09nw05
Figure 9-5 The Approve Updates page
■ Detect Only Each client will discover the update on the WSUS server and, using
update metadata, determine whether the update is needed. The client will then
report whether the update is needed or not and you can view this feedback to
determine whether to approve the update for installation. Detect Only approval
does not result in the client installing the update; the client only detects and
reports whether the update is needed.
■ Install Each client will install the update if it is needed. Because updates contain
detailed metadata that describes the update and its relationship to other updates,
clients can evaluate the update to determine whether it is needed. If, for example,
a client has already installed a service pack, any individual update that was
included in that service pack would be unnecessary, so the client would skip the
update even though it was approved for installation. This behavior ensures effec-
tive use of resources by preventing duplicate or superseded updates from being
installed.
■ Not Approved Clients will not download update metadata, so they will neither
detect and report whether the update is needed nor install the update. If a client
has already installed the update, it will not be removed, but no new clients will
detect or install the update.
■ Remove Some, but not all, updates support removal through WSUS and Auto-
matic Updates. Approving an update for removal causes the client to uninstall
the update. Most updates can be individually removed using Add or Remove
Programs.
Lesson 1 Windows Server Update Services 9-17
Note in Figure 9-5 that WSUS supports setting a deadline for installation of an update.
This capability prevents even local administrators from delaying the update. If a client
detects that an update has been approved for installation and the deadline has passed,
the update will be installed. Although WSUS is inherently a “pull” technology—clients
query the WSUS for updates and download the updates from the server—the deadline
feature approaches the need to be able to “push” an urgent update to clients.
The option selected in the Approval drop-down list and the deadline configured in the
top of the Approve Updates dialog box will apply, by default, to all computers directed
to the WSUS server. WSUS introduces the ability to create computer groups, a feature
discussed later in this lesson. Any computer that does not belong to a computer group
is represented by the built-in group Unassigned Computers. After you create computer
groups, you can configure approvals and deadlines differently for each computer
group. For example, you might approve an update for installation on a group of pilot
systems and for detection on other systems, as shown in Figure 9-5. If the update is
successful on the pilot computers and is reported as needed by other computers, you
can then approve the update for installation on remaining systems.
To decline an update, click the Decline Update link in the task pane of the Updates
page. When you decline an update, it will not be installed by any clients; however, cli-
ents that have already installed the update will not remove it. The update installation
files are not deleted from the WSUS server.
You can automate the approval workflow by configuring automatic approval. Click the
Options link in the top navigation bar, and then click the Automatic Approval Options
link. You can instruct WSUS to automatically approve updates based on classification
for either detection or installation and for one or more computer groups. This version
of WSUS does not support configuring automatic approvals based on product. By
default, WSUS automatically approves critical updates and security updates for detec-
tion, so soon after Microsoft releases an update of those classifications, WSUS clients
will begin to report whether those updates are required.
Occasionally, Microsoft will revise an update’s metadata or installation files. You can
configure WSUS to automatically approve revisions to already-approved updates.
Microsoft might also release updates to WSUS itself, and the Automatic Approval
Options page exposes an option to approve such updates automatically.
Managing Computer Groups
Computer groups enable an enterprise to target updates to collections of systems
based on their role, priority, location, function, or any other criteria. When designing
your update infrastructure, consider how you might be able to leverage computer
groups to attain the strategic objectives of your design. For example, by creating a
computer group for pilot computers, you can approve new updates for installation
9-18 Chapter 9 Maintaining the Operating System
on those systems, monitor the results to ensure that the update does not cause prob-
lems, and then approve the update for installation on remaining systems. You might
decide to have a group of computers that should be updated more quickly than oth-
ers—for example, your servers exposed to the Internet. By placing those servers in a
computer group, you can set a deadline for updates for those systems to ensure that
those updates are installed quickly. WSUS always exposes two built-in groups: All
Computers, representing every client that reports to the WSUS server; and Unas-
signed Computers, representing the subset of clients that do not belong to any cus-
tom computer group.
There are three steps to managing computer groups with WSUS. First, you select one
of two ways to assign computers to groups: server-side targeting and client-side target-
ing. Server-side targeting, the default, requires you to add computers to groups using
the WSUS administration site. Client-side targeting allows you to automatically assign
clients to groups using either registry entries or Group Policy. Second, you create the
computer groups on the WSUS server. Third, you move computers into groups using
whichever method you selected in the first step.
To manage computer groups, click the Computers link in the top navigation bar. The
Computers page lists all computers that have reported to the server. Remember that cli-
ents are directed to the WSUS server using registry entries or Group Policy settings that
will be detailed later in this lesson. WSUS groups are not, interestingly, associated in
any way with Active Directory directory service groups or with local security groups.
WSUS groups are defined and maintained by the WSUS server itself. To create a new
group, click the Create A Computer Group link and specify the group name. To delete
a group, first select the group from the Groups list, and then click the Delete The
Selected Group link in the Tasks frame.
To configure either client-side targeting or server-side targeting, click the Options link
in the top navigation bar, and then click Computer Options. Select one of the following
configurations:
■ Use The Move Computers Task In Windows Server Update Services You
will assign computers to groups using the WSUS administration page.
■ Use Group Policy Or Registry Settings On Client Computers You will assign
clients to groups using registry entries on the clients or using Group Policy.
With either server-side targeting or client-side targeting, you must create the groups on
the WSUS server. Click the Computers link in the top navigation bar, and then click
Create A Computer Group and enter the name for the group.
If you have configured server-side targeting, you must manage computer group member-
ship on the WSUS server using the Computers page. Select a computer and, in the Tasks
Lesson 1 Windows Server Update Services 9-19
pane, click Move The Selected Computer link. In an update infrastructure characterized
by a small number of computer groups with limited membership, manual management
of computer groups is possible.
In more complicated implementations, however, you will want to configure client-
side targeting, also called computer-based targeting. In client-side targeting, clients
register their group membership when they report to the WSUS server. Client com-
puters are configured with their group membership using a registry entry or Group
Policy. In a non–Active Directory environment, you configure the TargetGroup reg-
istry string entry with the name of the group, and you configure the TargetGroupEn-
abled registry dword entry with the value 1. Both these registry entries are found in
the HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindowsWindowsUp-
date key. In an Active Directory environment, you can automate the configuration of
update group membership by enabling the Enable Client-Side Targeting Group Pol-
icy setting. In a GPO, open the Computer Configuration, Administrative Templates,
Windows Components, Windows Update node. Open the Enable Client-Side Target-
ing setting and click Enabled. Type the name of the computer group in the box. Any
computers within the scope of the GPO will report that group membership to the
WSUS server.
With client-side targeting enabled, a client reports its group membership to WSUS, but
the membership will not take effect unless the group exists on the WSUS server. So, as
with server-based targeting, you must create all groups on the WSUS server that you
have configured for client-side targeting. If a client reports membership in a group that
does not exist on the WSUS server, a warning will register on the WSUS administration
home page to help you identify the problem. Until you resolve the conflict, either by
creating the computer group or by moving the computer into an existing group, the
computer will be managed as an unassigned computer.
Reporting Update Status
The Reports page of the WSUS administration site enables you to view and print
reports based on updates or computers. Click the Reports link in the top navigation
bar, and then choose Status Of Computers or Status Of Updates. Reports can be filtered
to show results from one computer group or for All Computers and to show results
from one or more approval levels. Update reports summarize, for each update, the
number of computers that report the update as installed, needed, not needed, unin-
stalled, or failed. You can expand an update to see detail for the update by computer
group, and you can expand a computer group to see the detail for each computer in
that group. An update report is displayed in Figure 9-6.
9-20 Chapter 9 Maintaining the Operating System
f09nw06
Figure 9-6 WSUS update report
A computer report displays, for each computer, the number of updates installed,
needed, not needed, uninstalled, or failed. Expand a computer to see the detail for
each update. A computer report is displayed in Figure 9-7.
f09nw07
Figure 9-7 WSUS computer report
Lesson 1 Windows Server Update Services 9-21
You can access two other reports through the Reports link in the top navigation bar:
Synchronization reports, which detail synchronization activity, and Settings reports,
which can be particularly useful when you are configuring additional WSUS servers
and want to maintain consistency with existing servers. You can also access reports
using the Status tab on either the Computers or Updates pages. All reports can be
sorted by column and printed.
Note As you view reports, remember that you are seeing the activity of only one WSUS
server. You must view the reports on each server separately. This version of WSUS does not
natively support “rolling up” the status of multiple servers. However, Microsoft provides sam-
ple tools on the WSUS Web site, one of which provides rollup functionality. Another sample
allows you to create and populate WSUS computer groups using Active Directory groups as a
data source.
The Automatic Updates Client
The client component of WSUS is Windows Automatic Updates, which is supported on
Windows 2000, Windows XP, and Windows Server 2003. The Automatic Updates client
is included with Windows Server 2003, Windows 2000 Service Pack 3, and Windows
XP Service Pack 1. When a client with the original version of Automatic Updates
reports to WSUS, the client will upgrade itself automatically to the new version of Auto-
matic Updates that is compatible with WSUS. This newer version is installed by default
by Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.
The Automatic Updates client is configured to connect automatically to the
Microsoft Windows Update server and then download updates and prompt the user
to install them. You can modify this behavior by accessing the Automatic Updates
tab in the System Properties dialog box, accessible by clicking System in Control
Panel in Windows XP and Windows Server 2003. In Windows 2000, click Automatic
Updates in Control Panel. The Automatic Updates tab is shown in Figure 9-8. The
options on the tab are limited and do not allow you to direct Automatic Updates to
a WSUS server. You can use Group Policy settings or registry values to fully config-
ure Automatic Updates for WSUS.
9-22 Chapter 9 Maintaining the Operating System
f09nw08
Figure 9-8 The Automatic Updates tab of the System Properties dialog box
Download Behavior
Automatic Updates supports two download behaviors:
■ Automatic Updates are downloaded without notification to the user.
■ Notification If Automatic Updates is configured to notify the user before down-
loading updates, it registers the notification of an available update in the system
event log and to a logged-on administrator of the computer. If an administrator is
not logged on, Automatic Updates waits for a user with administrator credentials
before giving notification by means of a balloon in the notification area of the sys-
tem tray.
After update downloading begins, Automatic Updates uses BITS to perform the file
transfer using idle network bandwidth. BITS ensures that network performance is not
hindered due to file transfer. The Automatic Updates client validates the Microsoft dig-
ital signature and examines the cyclical redundancy check (CRC) on each package
before installing it.
Installation Behavior
Automatic Updates provides two options for installation:
■ Notification Automatic Updates registers an event in the system log indicating
that updates are ready for installation. Notification will wait until a local adminis-
trator is logged on before taking further action. When an administrative user is
logged on, a balloon notification appears in the system tray. The administrator
Lesson 1 Windows Server Update Services 9-23
clicks the balloon or the notification icon and then may select from available
updates before clicking Install. If an update requires restarting the computer, Auto-
matic Updates cannot detect additional updates that might be applicable until after
the restart.
■ Automatic (Scheduled) When updates have been downloaded successfully, an
event is logged to the system event log. If an administrator is logged on, a notifi-
cation icon appears and the administrator can manually launch installation at any
time until the scheduled installation time.
At the scheduled installation time, an administrator who is logged on will be noti-
fied with a countdown message prior to installation and will have the option to
cancel installation, in which case the installation is delayed until the next sched-
uled time. If a nonadministrator is logged on, a warning dialog box appears but
the user cannot delay installation. If no user is logged on, installation occurs auto-
matically. If an update requires restart, a five-minute countdown notification
appears informing users of the impending restart. Only an administrative user can
cancel the restart.
Tip If a computer is not turned on at the scheduled Automatic Updates installation time,
installation will wait to the next scheduled time. If the computer is never on at the scheduled
time, installation will not occur. Ensure that systems remain turned on to be certain that Auto-
matic Updates install successfully, or configure the Reschedule Automatic Updates Sched-
uled Installations policy setting, described below.
Configuring Automatic Updates Through Group Policy
The Automatic Updates client will, by default, connect to the Microsoft Windows
Update server. After you have installed WSUS in your organization, you can direct
Automatic Updates to connect to specific intranet WSUS servers by configuring the reg-
istry of clients manually or by using Windows Update group policies.
To configure Automatic Updates using GPOs, open a GPO and navigate to the Com-
puter ConfigurationAdministrative TemplatesWindows ComponentsWindows
Update node. The Windows Update policies are shown in Figure 9-9.
9-24 Chapter 9 Maintaining the Operating System
f09nw09
Figure 9-9 Windows Update policies
Note The Automatic Updates policies described below are supported by the newest ver-
sion of the %Windir%InfWuau.inf administrative template, which is installed by default on
Windows XP SP2 and Windows Server 2003 SP1. If you do not see the policies, copy
Wuau.inf from an appropriate system, right-click the Administrative Templates node and
choose Add/Remove Templates, click Add, and then locate the Wuau.inf template.
The following policies are available, each playing an important role in configuring
effective update distribution in your enterprise:
■ Specify Intranet Microsoft Update Service Location This policy allows you
to redirect Automatic Updates to a server running WSUS. You must configure the
two text boxes with the URL to the WSUS server http://serverFQDN. If you have
installed WSUS to a port other than port 80, you must include the port in the
URL—for example, http://serverFQDN:port.
Note Be sure that any firewall, including Windows Firewall, allows inbound traffic on Trans-
mission Control Protocol (TCP) port 80 to the WSUS server.
■ Automatic Updates Detection Frequency Automatic Updates clients poll their
WSUS server every 22 hours, minus a random offset. This policy setting allows you
to modify that frequency.
Lesson 1 Windows Server Update Services 9-25
■ Configure Automatic Updates When an update has been detected, you con-
trol the download and installation behavior of the client using this policy setting.
There are three options: Notify For Download And Notify For Install, Auto Down-
load And Notify For Install, and Auto Download And Schedule The Install. These
options are combinations of the installation and download behaviors discussed
earlier in the lesson.
■ Reschedule Automatic Updates Scheduled Installations If installations are
scheduled and the client computer is turned off at the scheduled time, the default
behavior is to wait for the next scheduled time. The Reschedule Automatic
Updates Scheduled Installations policy, if set to a value between 1 and 60, causes
Automatic Updates to reschedule installation for the specified number of minutes
after system startup.
■ Enable Client-Side Targeting If you have configured the WSUS server for cli-
ent-side targeting, you can use this policy to configure clients with a specific com-
puter group. The client will report this group name to the WSUS server. The group
must be defined on the WSUS server, as discussed in this lesson.
See Also For guidance regarding client configuration using registry settings, see the
WSUS documentation, which is available along with the WSUS installation files from http:
//www.microsoft.com/wsus.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. You are configuring a WSUS infrastructure. One server is synchronizing metadata
and content from Microsoft Update. Other servers (one in each site) are synchro-
nizing content from the upstream WSUS server. Which of the following steps is
required to complete the WSUS infrastructure?
a. Configure Automatic Updates clients using Control Panel on each system.
b. Configure GPOs to direct clients to the WSUS server in their sites.
c. Configure a manual content distribution point.
d. Approve updates using the WSUS administration page.
9-26 Chapter 9 Maintaining the Operating System
2. You are configuring WSUS for a group of Web servers. You want the Web servers
to update themselves nightly based on a list of approved updates on your WSUS
server. However, once in a while an administrator is logged on, performing late-
night maintenance on a Web server, and you do not want update installation and
potential restart to interfere with those tasks. What Windows Update policy con-
figuration should you use in this scenario?
a. Notify For Download And Notify For Install
b. Auto Download And Notify For Install
c. Auto Download And Schedule The Install
3. You want all network clients to download and install updates automatically during
night hours, and you have configured scheduled installation behavior for Auto-
matic Updates. However, you discover that some users are turning off their
machines at night, and updates are not being applied. Which policy allows you to
correct this situation without changing the installation schedule?
a. Specify Intranet Microsoft Update Service Location
b. No Auto-Restart For Scheduled Automatic Updates Installations
c. Reschedule Automatic Updates Scheduled Installations
d. Configure Automatic Update
Lesson Summary
■ WSUS is an intranet application that runs on IIS 6.0 and is administered through a
Web-based administration site: http://WSUS_Servername/WSUSAdmin.
■ The WSUS server synchronizes content for subscribed product types and update
classifications and allows an administrator to configure approval centrally for each
update. Typically, an enterprise configures WSUS to download the actual update
installation files as well.
■ Updates can be targeted to specific computers by defining computer groups on
the WSUS servers. The membership of those groups can be managed on the server
or by using client-side registry entries or Group Policy settings.
■ Automatic Updates, which runs on Windows 2000, Windows XP, and Windows
Server 2003, is responsible for downloading and installing updates on the client.
■ Group Policy can be used to configure Automatic Updates to retrieve patches from
a WSUS server rather than from the Windows Update servers. GPOs can also drive
the download, installation, and restart behavior of the client computers.
Lesson 2 Service Packs 9-27
Lesson 2: Service Packs
Microsoft releases service packs to consolidate critical updates, security rollups, hot-
fixes, driver updates, and feature enhancements. As suggested at the beginning of this
chapter, it is no longer feasible to wait until Service Pack 3 before installing Service
Pack 2. You must stay current with service packs to maintain the security and integrity
of your enterprise network. WSUS, discussed in the previous lesson, is capable of dis-
tributing service packs, but SUS is not. In environments where service packs are not
deployed using an update infrastructure, you need to implement the skills covered in
this lesson, which will allow you to deploy service packs by means of Group Policy.
After this lesson, you will be able to
■ Download and extract a service pack
■ Deploy a service pack with Group Policy–based software distribution
Estimated lesson time: 5 minutes
Downloading and Extracting Service Packs
When a service pack is released, Microsoft makes it available for installation and
download from the Microsoft Web site. A service pack can be installed directly from
a Microsoft server, in which case the client launches the service pack setup from the
Microsoft site, and a small setup utility is downloaded to the client. That setup utility
reconnects to the Microsoft server and controls the download and installation of the
entire service pack. Service packs are generally sizeable, so performing this task
machine-by-machine is not an efficient deployment strategy in all but the smallest
environments.
Service packs can also be obtained on CD from Microsoft and through many Microsoft
resources, such as TechNet and MSDN. Service pack CDs often include extras, such
as updated administrative tools, new policy templates, and other value-added soft-
ware. In an enterprise environment, it is therefore recommended to obtain the ser-
vice pack media.
When you do not have access to a CD containing the service pack, and you want to
deploy the service pack to more than one system, you can download the entire service
pack as a single file, again from the Microsoft Web site. The service pack executable,
if launched (by double-clicking, for example), triggers the installation of the service
pack. This single-file version of the executable can also be extracted into the full folder
and file structure of the service pack, just as it would be on the service pack CD, but
without the value adds.
9-28 Chapter 9 Maintaining the Operating System
To extract a service pack, launch the executable from a command prompt with the -x
switch. For example, to extract Windows Server 2003 SP1 for 32-bit platforms, type
WindowsServer2003-KB889101-SP1-x86-ENU.exe -x. You will then be prompted
for a folder to which the service pack is extracted. After the process is complete, you
will see the full service pack folder structure contained in the target folder. You can
then launch installation of the service pack, just as from the CD, by double-clicking
I386UpdateUpdate.exe.
Deploying Service Packs with Group Policy
Service pack installation requires administrative credentials on the local computer
unless the service pack is installed through Group Policy or Systems Management
Server (SMS). Because service packs apply to systems, it is necessary to assign the ser-
vice pack through computer-based, rather than user-based, Group Policy.
To distribute a service pack, create a shared folder and either extract the service pack
to that folder or copy the contents of the service pack CD to the folder. Then, using
the Active Directory Users And Computers snap-in, create or select an existing GPO.
Click Edit and the Group Policy Object Editor console appears, focused on the
selected GPO.
Expand the Computer ConfigurationSoftware Settings node. Right-click Software
Installation and choose New, then Package. Enter the path to the service pack’s
Update.msi file. Be certain to use a UNC format (for example, ServerShare) and not
a local volume path, such as Drive:Path. In the Deploy Software dialog box, select
Assigned. Close the Group Policy Object Editor console. Computers within the scope
of the GPO—in the site, domain, or OU branch to which the policy is linked—auto-
matically deploy the service pack at the next startup.
Tip Windows XP systems with Logon Optimization configured might require two restarts.
Logon Optimization can be disabled by enabling the policy Always Wait For The Network At
Computer Startup And Logon, found in the policy path Computer ConfigurationAdministrative
TemplatesSystemLogon.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
Lesson 3 Administering Software Licenses 9-29
1. What command should you use to unpack the single file download of a service
pack?
a. Setup.exe -u
b. Update.exe -x
c. Update.msi
d. <Servicepackname>.exe -x
2. What type of Group Policy software deployment should be used to distribute a
service pack?
a. Published in the Computer Configuration Software Settings
b. Assigned in the Computer Configuration Software Settings
c. Published in the User Configuration Software Settings
d. Assigned in the User Configuration Software Settings
Lesson Summary
■ Service packs can be extracted using the -x switch.
■ Group Policy can deploy service packs by assigning Update.msi through the com-
puter configuration’s software settings policy.
9-30 Chapter 9 Maintaining the Operating System
Lesson 3: Administering Software Licenses
The End User License Agreement (EULA) is more than just a nuisance that you must
click through to begin installing a new operating system, update, or application. The
EULA is a binding contract that gives you the legal right to use a piece of software. In
an enterprise environment, managing software licenses is critically important. In this
lesson, you will learn to use the licensing tools provided by Windows Server 2003 to
register and monitor licenses and compliance.
After this lesson, you will be able to
■ Understand Per Server and Per Device or Per User licensing modes
■ Configure licenses using the Licensing properties in Control Panel and the Licensing
administrative tool
■ Create license groups
Estimated lesson time: 20 minutes
Note The Evaluation Edition of Windows Server 2003, Enterprise Edition, included on the
companion CD-ROM with this book, does not support licensing. You will not be able to follow
along with the examples in this lesson without purchasing the full retail version of the product.
Obtaining a Client Access License
The server license for Windows Server 2003 enables you to install the operating system
on a computer, but you need a Client Access License (CAL) before a user or device is
legally authorized to connect to the server. CALs are obtained in bundles, and are often
but not always included in the purchase of the operating system. Keep copies of the
CAL certificates and your EULAs on file in the event that your organization is audited
for licensing compliance.
Tip Remember that when upgrading a server from Microsoft Windows NT 4 or Windows
2000 to Windows Server 2003, you must purchase CAL upgrades as well.
You must have a CAL for any connection to a computer running Windows Server 2003
that uses server components, which include file and print services or authentication. Very
few server applications run so independently that the client/server connection does not
require a CAL. The most significant exception to the CAL requirement is unauthenticated
access conducted through the Internet. Where there is no exchange of credentials during
Lesson 3 Administering Software Licenses 9-31
Internet access, such as users browsing your public Web site, no CAL is required. CALs
are therefore not required for Windows Server 2003 Web Edition.
There are two types of CALs: Windows Device CALs, which allow a device to connect
to a server regardless of the number of users who might use that device; and Windows
User CALs, which allow a user to connect to a server from a number of devices.
Windows Device CALs are advantageous for an organization with multiple users per
device, such as shift workers. Windows User CALs make most sense for an organi-
zation with employees that access the network from multiple or unknown devices.
Note The licensing tools and the user interface do not yet distinguish between Windows
User or Windows Device CALs. A device CAL is registered indirectly, using license groups.
The number of CALs you require, and how you track those licenses, depends on which
client access licensing mode you pursue.
Per-Server Licensing
Per-server licensing requires a User or Device CAL for each concurrent connection.
If a server is configured with 1,000 CALs, the 1,001st concurrent connection is
denied access. CALs are designated for use on a particular server, so if the same
1,000 users require concurrent connections to a second server, you must purchase
another 1,000 CALs.
Per-server licensing is advantageous only in limited access scenarios such as when a
subset of your user population accesses a server product on very few servers. Per-
server licensing is less cost-effective in a situation in which multiple users access mul-
tiple resources on multiple servers. If you are unsure which licensing mode is appro-
priate, select Per Server. The license agreement allows a no-cost, one-time, one-way
conversion from Per Server to Per Device or Per User licensing when it becomes
appropriate to do so.
Per-Device or Per-User Licensing
The Per Device or Per User licensing mode varies from the Per Seat scheme of pre-
vious versions of Windows. In this new mode, each device or user that connects to
a server requires a CAL, but with that license, the device or user can connect to a
number of servers in the enterprise. Per User or Per Device mode is generally the
mode of choice for distributed computing environments in which multiple users
access multiple servers.
9-32 Chapter 9 Maintaining the Operating System
For example, a developer who uses a laptop and two desktops would require only one
Windows User CAL. A fleet of 10 Tablet PCs that are used by 30 shift workers would
require only 10 Windows Device CALs.
The total number of CALs equals the number of devices or users, or a mixture thereof,
that access servers. CALs can be reassigned under certain, understandable conditions—
for example, a Windows User CAL can be reassigned from a permanent employee to a
temporary employee while the permanent employee is on leave. A Windows Device
CAL can be reassigned to a loaner device while a device is being repaired.
Per Server and Per Device or Per User licensing modes are illustrated in Table 9-1.
Table 9-1 CAL Licensing Modes
Per Server Per User or Per Device
g09nw01 g09nw02
■ Traditionally licensed in Per Server ■ Traditionally licensed in Per User or Per
mode when there are few servers that Device mode when there are many serv-
require limited access. ers that require frequent and widespread
■ The number of CALs needed is deter- access.
mined by the number of concurrent ■ Usually more economical when the
connections that are required. number of CALs needed is determined
by the number of users or devices, or
both, that require access to the servers.
Tip Windows Server 2003 includes Terminal Services, also known as Remote Desktop.
Remote Desktop includes a two (concurrent) connection license for administrators to connect
to a remote server. For Terminal Services to perform as an application server, allowing nonad-
ministrative users to connect to hosted applications, you must acquire Terminal Services
CALs. Details regarding client licensing can be found at http://www.microsoft.com/
windowsserver2003/howtobuy/licensing/ts2003.mspx.
Lesson 3 Administering Software Licenses 9-33
There are two utilities that will help you track and manage software licensing:
■ Licensing in Control Panel The Control Panel Choose Licensing Mode tool, as
shown in Figure 9-10, manages licensing requirements for a single computer run-
ning Windows Server 2003. You can use Licensing to add or remove CALs for a
server running in per-server mode; to change the licensing mode from Per Server
to Per Device or Per User; or to configure licensing replication.
f09nw10
Figure 9-10 The Choose Licensing Mode tool in Control Panel
■ Licensing in Administrative Tools The Licensing administrative tool, dis-
cussed in the next section, allows you to manage licensing for an enterprise by
centralizing the control of licensing and license replication in a site-based model.
Administering Site Licensing
The License Logging service, which runs on each computer running Windows Server
2003, assigns and tracks licenses when server resources are accessed. To ensure com-
pliance, licensing information is replicated to a centralized licensing database on a
server in the site. This server is called the site license server. A site administrator, or an
administrator for the site license server, can then use the Microsoft Licensing tool in
Administrative Tools program group to view and manage licensing for the entire site.
This new license tracking and management capability incorporates licenses not just for
file and print services, but for IIS, for Terminal Services, and for BackOffice products
such as Exchange or SQL Server.
The Site License Server
The site license server is typically the first domain controller created in a site. To find
out what server is the license server for a site, open Active Directory Sites And Services,
expand to select the Site node, and then right-click Licensing Site Settings and choose
Properties. The current site license server is displayed, as shown in Figure 9-11.
9-34 Chapter 9 Maintaining the Operating System
f9nw11
Figure 9-11 Identifying and changing the site license server
To assign the site license server role to another server or domain controller, click
Change and select the desired computer. To retain the licensing history for your enter-
prise, you must, immediately after transferring the role, stop the License Logging ser-
vice on the new license server, then copy the following files from the old to the new
licensing server:
■ %Systemroot%System32Cpl.cfg contains the purchase history for your organization.
■ %Systemroot%LlsLlsuser.lls contains user information about the number of
connections.
■ %Systemroot%LlsLlsmap.lls contains license group information.
After all files have been copied, restart the License Logging service.
Administering Site Licenses
After you have identified the site license server for a site, you can view the licensing
information on that server, opening Licensing from the Administrative Tools program
group. The Server Browser tab in Licensing (as shown in Figure 9-12) enables you to
manage licensing for an entire site or enterprise.
Lesson 3 Administering Software Licenses 9-35
f09nw12
Figure 9-12 The Server Browser tab of the Microsoft Licensing administrative tool
The Server Browser page of Licensing allows you to manage any server in any site or
domain for which you have administrative authority. You can locate a server and, by
right-clicking it and choosing Properties, manage that server’s licenses. For each server
product installed on that server, you can add or remove per-server licenses. You can
also, where appropriate, convert the licensing mode. Remember that per-server licens-
ing mode issues a license when a user connects to the server product. When a user dis-
connects from the server product, the License Logging service makes the license
available to another user.
The server properties also allow you to configure license replication, which can be set
on a server using its Licensing properties in Control Panel. By default, license informa-
tion is replicated from a server’s License Logging Service to the site license server every
24 hours, and the system automatically staggers replication to avoid burdening the site
licensing server. If you want to control replication schedules or frequency, you must
manually vary the Start At time and Start Every frequency of each server replicating to
a particular site license server.
To manage Per Device or Per User licensing, click Licensing from the Administrative
Tools program group, then choose the New License command from the License menu.
In the New Client Access License dialog box, select the server product and the number
of licenses purchased. Licenses are added to the pool of licenses. As devices or users
connect to the product anywhere in the site, they are allocated licenses from the pool,
with one license for each device or user. After a pool of licenses is depleted, license
violations occur when additional devices or users access the product.
The Purchase History tab in Licensing (as shown in Figure 9-13) provides a historical
overview of licenses purchased for a site, as well as the quantity, date, and administra-
tor associated with the addition or removal of licenses.
9-36 Chapter 9 Maintaining the Operating System
f09nw13
Figure 9-13 The Purchase History tab of the Microsoft Licensing administrative tool
To view cumulative information about licensing and compliance, click the Products
View tab. This tab shows how many licenses have been purchased and allocated to
users or devices (in Per Device or Per User mode) or the number of licenses purchased
for all servers in the site and the peak connections reached to date (in Per Server
mode). You can also determine compliance using the licensing status symbols shown
in Table 9-2.
Table 9-2 Licensing Status Symbols
Symbol Licensing Status
The product is in compliance with legal licensing requirements. The number
of connections is less than the number of licenses purchased.
g09nw03
The product is not in compliance with legal licensing requirements. The
number of connections exceeds the number of licenses purchased.
g09nw04
The product has reached the legal limit. The number of connections equals
the number of licenses purchased. If additional devices or users will connect
g09nw05
to the server product, you must purchase and log new licenses.
License Groups
Per Device or Per User licensing requires one CAL for each device. However, the
License Logging service assigns and tracks licenses by user name. When multiple users
share one or more devices, you must create license groups, or licenses will be con-
sumed too rapidly.
Lesson 3 Administering Software Licenses 9-37
A license group is a collection of users who collectively share one or more CALs. When
a user connects to the server product, the License Logging service tracks the user by
name but assigns a CAL from the allocation assigned to the license group. The concept
is easiest to understand with examples:
■ 10 users share a single handheld device for taking inventory A license
group is created with the 10 users as members. The license group is assigned one
CAL, representing the single device they share.
■ 100 students occasionally use a computer lab with 10 computers A license
group is created with the 100 students as members, and is allocated 10 CALs.
To create a license group, click the Options menu and, from the Advanced menu,
choose New License Group. Enter the group name and allocate one license for each
client device used to access the server. The number of licenses allocated to a group
should correspond to the number of devices used by members of the group.
Lesson Review
The following questions are intended to reinforce key information presented in this
lesson. If you are unable to answer a question, review the lesson materials and try the
question again. You can find answers to the questions in the “Questions and Answers”
section at the end of this chapter.
1. What are the valid licensing modes in Windows Server 2003? Select all that apply.
a. Per User
b. Per Server
c. Per Seat
d. Per Device or Per User
2. You are hiring a team to tackle a software development project. There will be
three shifts of programmers, and each shift will include six programmers. Each
programmer uses four devices to develop and test the software, which authenti-
cates against a computer running Windows Server 2003. What is the minimum
number of CALs required if the servers involved are in Per Device or Per User
licensing mode?
a. 6
b. 4
c. 18
d. 24
9-38 Chapter 9 Maintaining the Operating System
3. What tool will allow you to identify the site license server for your site?
a. Active Directory Domains And Trusts
b. The Licensing tool in Control Panel
c. Active Directory Sites And Services
d. DNS
4. You manage the network for a team of 500 telephone sales representatives. You
have 550 licenses configured in Per Device or Per User licensing mode. A new
campaign is launched, and you will hire another shift of 500 reps. What do you
need to do to most effectively manage license tracking and compliance?
a. Revoke the licenses from the existing clients
b. Delete the existing licenses, and then add 500 licenses
c. Create license groups
d. Convert to Per Server licenses
Lesson Summary
■ Windows Server 2003 provides a new mode of licensing whereby a user can
access a server product from multiple devices using one license, or a group of
users can access a server product from a single device. This is called Per Device or
Per User licensing.
■ When more than one user accesses a server product from shared devices, add
those users as a license group, and allocate licenses to that group equivalent to the
number of devices.
■ License information is replicated, by default every 24 hours, to the site license
server.
■ Licensing can be managed using the Licensing tool in Control Panel or, more cen-
trally, using the Licensing administrative tool from the Administrative Tools pro-
gram group.
Case Scenario Exercise
You are configuring an update strategy for a network consisting of 1000 clients running
a mix of Windows XP and Windows 2000. Your goal is to prevent users from down-
loading updates directly from Microsoft Update and to create a structure in which you
can approve critical patches and security rollups for distribution.
You have recently purchased desktops and laptops, and you have applied the corpo-
rate standard image to those systems. Unfortunately, the image was created a while
Chapter 9 Maintaining the Operating System 9-39
ago. The Windows XP image has only Service Pack 1 applied. So your first task is to
update systems to the latest service pack level so that the Automatic Updates client, as
well as all patches and fixes, can be installed on the computers.
Note In this hands-on scenario, you may test the results using a second computer. To do
so, join the computer to the domain and move its computer account to the Desktops OU.
Exercise 1: Download and Extract the Service Pack
1. Create a folder on the C drive and name the folder ServicePack.
2. From the Microsoft download site, http://www.microsoft.com/downloads, or from
the Windows XP site, http://www.microsoft.com/windowsxp, download the latest
service pack. Save it to the C:ServicePack folder.
3. Open a command prompt and type cd C:ServicePack to change to the Service-
Pack folder.
4. Type WindowsXP-KB395935-SP2-ENU.exe -x. Substitute WindowsXP-KB395935-
SP2-ENU with the file name of the service pack you downloaded.
5. You will be prompted to indicate the location to which the service pack will be
extracted. Type C:ServicePack.
6. The service pack is extracted. Use Windows Explorer to navigate the folder struc-
ture that was created. Make note of the location of Update.exe (in the Update
folder), which you use to launch installation of the service pack on a single
machine, and of Update.msi (in the same folder), which you can use to deploy the
service pack through Group Policy–based software distribution.
Exercise 2: Deploy the Service Pack with Group Policy
1. Share the C:ServicePack folder with the share name ServicePack.
2. Open Active Directory Users And Computers.
3. Expand the domain and locate (or create) the Desktops OU.
4. Create a computer object in the Desktops OU called Desktop0569 to represent
one of the new systems.
Note If you have a second system with which to perform this case scenario exercise, move
that system’s account into the Desktops OU.
5. Create a GPO called SP-Deploy.
9-40 Chapter 9 Maintaining the Operating System
If you are using the GPMC to manage Group Policy:
a. Open the GPMC.
b. Right-click the Desktops OU and choose Create And Link A GPO Here.
c. Name the GPO SP-Deploy.
d. Right-click the SP-Deploy Group Policy link and click Edit.
Otherwise:
a. Right-click the Desktops OU and choose Properties.
b. Click the Group Policy tab.
c. Click New to create a new GPO. Name the object SP-Deploy.
d. Select the SP-Deploy Group Policy link and click Edit.
The Group Policy Object Editor opens.
6. Navigate to Computer ConfigurationSoftware Settings.
7. Right-click Software Installation, choose New, and then choose Package.
8. Type the path server01.contoso.comservicepack and press ENTER. The
browse dialog box will take you to the root of the extracted service pack.
9. Navigate to the Update.msi file you identified in the previous exercise. Select the
Update.msi file and click Open.
10. Select Assigned and click OK. The package is created.
11. Close Group Policy Object Editor and the Desktop OU’s Properties dialog box.
12. (Optional) If you have a second system with Windows XP, but without SP2, you
can test the deployment of the service pack. Remember that computers running
Windows XP are configured by default to optimize logon, so it might take two
restarts before the service pack is applied. You can confirm the service pack level
on a machine by clicking Start, Run, and then typing winver.
Exercise 3: Install WSUS
1. If IIS is not already installed, complete Exercise 1 of the Practice in Chapter 6, Les-
son 4, to install IIS.
2. Navigate to http://www.microsoft.com/wsus.
3. Locate and download the WSUS installation package.
4. Start WSUS installation by double-clicking the downloaded file.
5. On the Welcome screen, click Next.
6. Read and accept the End User License Agreement, and then click Next.
Chapter 9 Maintaining the Operating System 9-41
7. On the Select Update Source screen, configure a location for WSUS to be installed
if the default is not acceptable. Click Next.
Note The updates might consist of several GBs of files. If you have a slow Internet connec-
tion, or if you want to save time during this exercise, clear the option to Store Updates
Locally. WSUS will not synchronize update installation files, which will reduce the require-
ments for free disk space and will reduce the time required for the initial synchronization of
updates. However, any clients that use the WSUS server will have to download the update
installation files from Microsoft Update.
8. On the Database Options page, select Install SQL Server Desktop Engine (Windows)
On This Computer. Click Next.
9. On the Web Site Selection page, select Use The Existing IIS Default Web Site (rec-
ommended). Click Next.
10. On the Mirror Update Settings page, click Next.
11. A summary page appears. Confirm the configuration and click Next.
12. After installation has completed, clear the option to Launch The Web Administra-
tion Tool. Click Finish.
Exercise 4: Synchronize WSUS
1. If you are not already viewing the WSUS administration page, open Internet
Explorer and navigate to http://SERVER01/WSUSAdmin.
Note To view the WSUS administration site, you might need to add Server01 to the Local
Intranet trusted site list to access the site. Open Internet Explorer and choose Internet
Options from the Tools menu. Click the Security Tab. Select Trusted Sites and click Sites. Add
Server01 and Server01.contoso.com to the trusted site list.
2. Below the To Do List, click the Get Started By Synchronizing Your Server link.
3. In the Update Files And Languages area, click Advanced.
4. A warning message indicates that computers will not be able to receive updates
from the server during the configuration change. Click OK.
5. In the Language frame, select Download Only Those Updates That Match The
Locale Of This Server.
6. A warning message indicates that you need to include all languages of all comput-
ers in your network. Click OK.
7. Click OK to close the Advanced Synchronization Options dialog box.
9-42 Chapter 9 Maintaining the Operating System
You will manually synchronize for this exercise. However, you can examine syn-
chronization options by clicking Synchronize Using This Schedule. When you are
finished exploring settings, click Cancel.
8. Below Tasks, click the Synchronize Now link. If you have elected to download
updates to the server, synchronization might take some time.
9. After synchronization has occurred, click the Updates link in the top navigation
bar.
10. Approve a small number of updates so that you can return later to experiment fur-
ther with approval and automatic updates.
11. Examine other pages of the WSUS administration site. After you have familiarized
yourself with the site, close Internet Explorer.
Exercise 5: Configure Automatic Updates
1. Create a GPO called WSUS-Config.
If you are using the GPMC to manage Group Policy:
a. Open the GPMC.
b. Right-click the domain contoso.com and choose Create And Link a GPO Here.
c. Name the GPO WSUS-Config.
d. Right-click the WSUS-Config Group Policy link and click Edit.
Otherwise:
a. Right-click the domain contoso.com and choose Properties.
b. Click the Group Policy tab.
c. Click New to create a new GPO. Name the object WSUS-Config.
d. Select the WSUS-Config Group Policy link and click Edit.
2. Navigate to Computer ConfigurationAdministrative TemplatesWindows
ComponentsWindows Update.
3. Double-click the policy: Specify Intranet Microsoft Update Service Location, and
then select Enabled.
4. In both text boxes, type http://server01.contoso.com and click OK.
5. Double-click the policy: Configure Automatic Updates, and then select Enabled.
6. In the Configure Automatic Updating drop-down list, choose 4-Auto Download
And Schedule The Install.
7. Confirm the installation schedule: Daily at 3:00 A.M.
Chapter 9 Maintaining the Operating System 9-43
8. Click OK.
9. Double-click the policy: Reschedule Automatic Updates Scheduled Installations,
and then select Enabled.
10. In the Wait After System Startup (Minutes) box, type 10 and click OK.
! Exam Tip The Wait After System Startup policy is used to reschedule a scheduled instal-
lation that was missed, typically when a machine was turned off at the scheduled date and
time.
11. Close the Group Policy Object Editor.
12. To confirm the configuration, you can restart the server, which is also within the
scope of the new policy. Open System from Control Panel and click the Automatic
Updates tab. You will see that configuration options are disabled because they are
now being determined by policy.
Chapter Summary
■ Windows Server Update Services (WSUS) enable you to centralize and manage the
approval and distribution of updates to a variety of Microsoft operating systems,
servers, and applications. One or more WSUS servers host lists of approved
updates and, optionally but typically, the update files themselves. Automatic
Updates clients are configured, usually through GPOs, to obtain updates from
intranet WSUS servers rather than from Microsoft Update.
■ Service packs can be obtained free from Microsoft. If the service pack is a single
file, it can be extracted from the command prompt by entering the service pack’s
filename followed by the -x switch.
■ Service packs are deployed easily by assigning a software installation package to
the computer configuration’s software settings policies in a GPO. WSUS, but not
SUS, supports deploying service packs through the update infrastructure.
■ Tracking and managing licenses and compliance is an important part of an admin-
istrator’s job. Windows Server 2003 gives you the ability to assign licenses based
on concurrent connections to a specific server or to maintain a license for each
device or user that connects to any number of servers in your enterprise.
■ Licenses are replicated between servers’ License Logging service and the site
license server. The site license server can be identified using Active Directory Sites
And Services, but site licensing is administered using the Licensing tool in the
Administrative Tools programs group.
■ A license group enables users to share one or more devices. The number of
Windows Device CALs is assigned to the license group.
9-44 Chapter 9 Maintaining the Operating System
Exam Highlights
Before taking the exam, review the key points and terms that are presented below to
help you identify topics you need to review. Return to the lessons for additional prac-
tice and review the “Further Reading” sections in Part 2 for pointers to more informa-
tion about topics covered by the exam objectives.
Key Points
■ Read the CD-ROM supplement regarding SUS. As of the date of publication, certi-
fication exams were focused on SUS rather than on WSUS.
■ For SUS or WSUS, focus on administrative tasks, such as synchronizing, approving
updates, viewing logs and events, and configuring Automatic Updates through
System in Control Panel (on a stand-alone computer) or using Group Policy in a
larger environment. Remember that you cannot direct a computer to an WSUS
server using the Automatic Updates properties on a client. You must use Group
Policy, or a registry entry, to redirect the client to an intranet server rather than to
Microsoft Update.
■ Be able to calculate license requirements in a variety of Per Server or Per Device
or Per User scenarios. Remember that license groups allow multiple users to share
one or more devices.
Key Terms
Client Access License The license that allows a user or device to connect to a server
product for any functionality, including file and print service or authentication.
Per Server license mode Licenses are allocated when a user or device connects to
the server or product. When the user disconnects, the license is returned to the
available license pool. This mode requires sufficient licenses to support the maxi-
mum number of concurrent connections on each individual server.
Per Device or Per User mode Licenses requirements allow a single CAL to autho-
rize a user (who may use more than one device) or a device (which may be used
by more than one user) to connect to any number of servers.
license group Because the License Logging service allocates licenses based on user
name and not device name, Windows Device CALs are given to a license group.
A license group has one or more users, and is allocated licenses equivalent to the
number of devices used by that group to connect to server products.
Questions and Answers 9-45
Questions and Answers
Page Lesson 1 Review
9-25
1. You are configuring a WSUS infrastructure. One server is synchronizing metadata
and content from Windows Update. Other servers (one in each site) are synchro-
nizing content from the parent WSUS server. Which of the following steps is
required to complete the WSUS infrastructure?
a. Configure Automatic Updates clients using Control Panel on each system.
b. Configure GPOs to direct clients to the WSUS server in their sites.
c. Configure a manual content distribution point.
d. Approve updates using the WSUS administration page.
The correct answers are b and d.
2. You are configuring WSUS for a group of Web servers. You want the Web servers
to update themselves nightly based on a list of approved updates on your WSUS
server. However, once in a while an administrator is logged on, performing late-
night maintenance on a Web server, and you do not want update installation and
potential restart to interfere with those tasks. What Windows Update policy con-
figuration should you use in this scenario?
a. Notify For Download And Notify For Install
b. Auto Download And Notify For Install
c. Auto Download And Schedule The Install
The correct answer is c. You want the Web servers to update themselves, so you must sched-
ule the installation of updates. However, an administrator always has the option to cancel the
installation.
3. You want all network clients to download and install updates automatically during
night hours, and you have configured scheduled installation behavior for Auto-
matic Updates. However, you discover that some users are turning off their
machines at night, and updates are not being applied. Which policy allows you to
correct this situation without changing the installation schedule?
a. Specify Intranet Microsoft Update Service Location
b. No Auto-Restart For Scheduled Automatic Updates Installations
c. Reschedule Automatic Updates Scheduled Installations
d. Configure Automatic Update
The correct answer is c. Updates are automatically downloaded using background processes
and idle bandwidth, but the installation is triggered by the specified schedule. If a computer is
9-46 Chapter 9 Maintaining the Operating System
turned off at the installation time, it waits until the next scheduled date and time. The Resched-
ule Wait Time policy, if set between 1 and 60, causes Automatic Updates to start update instal-
lation 1 to 60 minutes after system startup.
Page Lesson 2 Review
9-28
1. What command should you use to unpack the single file download of a service
pack?
a. Setup.exe -u
b. Update.exe -x
c. Update.msi
d. <Servicepackname>.exe -x
The correct answer is d.
2. What type of Group Policy software deployment should be used to distribute a
service pack?
a. Published in the Computer Configuration Software Settings
b. Assigned in the Computer Configuration Software Settings
c. Published in the User Configuration Software Settings
d. Assigned in the User Configuration Software Settings
The correct answer is b.
Page Lesson 3 Review
9-37
1. What are the valid licensing modes in Windows Server 2003? Select all that apply.
a. Per User
b. Per Server
c. Per Seat
d. Per Device or Per User
The correct answers are b and d.
2. You are hiring a team to tackle a software development project. There will be
three shifts of programmers, and each shift will include six programmers. Each
programmer uses four devices to develop and test the software, which authenti-
cates against a computer running Windows Server 2003. What is the minimum
number of CALs required if the servers involved are in Per Device or Per User
licensing mode?
a. 6
b. 4
Chapter 9 Maintaining the Operating System 9-47
c. 18
d. 24
The correct answer is c. If you were to license based on devices, there are six times four
devices, or 24 devices. It will be more cost-effective to license based on the number of users,
which is 18.
3. What tool will allow you to identify the site license server for your site?
a. Active Directory Domains And Trusts
b. The Licensing tool in Control Panel
c. Active Directory Sites And Services
d. DNS
The correct answ
0 comments
Post a comment